What Lovable teaches us about AI tools
A journey into vibe coding, security nightmares, and the future of web tools.
Two weeks ago, I started experimenting with Lovable, one of the so-called “vibe coding” platforms that let you generate web applications just by describing what you want. The code is created for you automatically. I was curious to see if it could help me build a static website I needed - and it turns out, it could. Very easily, in fact.
Encouraged by that success, I pushed further and built a slightly more complex application. Finally, I decided I'd use it to build my lab’s website. The overall experience was surprisingly good. Lovable is incredibly intuitive: you tell it what you want, and within a short time, you get a working prototype. But of course, that’s just the beginning.
The Easy Start & the Hard Work That Follows
Once the prototype is ready, the real work starts: modifying, extending, and refining the code until it does exactly what you want. And that part isn’t always trivial.
Here’s an en example of a major limitation: While Lovable does have a visual preview of what it’s producing, it doesn’t itself see it. Often, I’d ask it to do something, and it would respond, “Done.” But nothing would actually appear on screen. The code was generated, but it was broken in subtle ways that stopped things from rendering correctly. For example, I asked for a hero section with a background image. Lovable confirmed it had added it, but the image wasn’t visible. These moments are frustrating. You end up in a loop of saying “no, that didn’t work, try again,” which not only wastes time but also costs money, since you’re paying per usage.
Another problem is how Lovable handles errors. Sometimes it fails to execute a request and just shows a “Fix this error” button - which, when clicked, usually works, though sometimes only after a few tries. Why not fix the error automatically?
It’s also wrong to think of these tools as no-code tools. You will very soon have to use a bit of code, or at least understand what is happening. I’m attaching two screenshots of outputs that Lovable generated - tell me which ones you understand without any coding background?
Lovable also tends to trivialize complex backend work, with serious consequences. For example, when I requested an admin interface, it generated one - with a hardcoded password in the source code 😱 !
The Hidden Dangers of Vibe Coding
This brings me to a deeper concern: vibe coding tools like Lovable are powerful, but they enable people with no technical understanding to deploy websites, including those that handle user data, with little awareness of the security implications. A broken personal site is one thing. But a site collecting user data with hardcoded credentials can be a massive liability. I was recently at an event where someone vibe coded a Chrome extension and published it. Yikes…
And with the rise of vibe coding tools, we’re likely to see thousands of such sites and tools deployed, poorly secured and ripe for exploitation. The pain is coming. That doesn’t mean the tools are somehow fundamentally. But it does mean they’re being adopted faster than the safeguards are evolving.
Further, even though Lovable allows GitHub syncing, you inevitably become dependent on the tool. If you didn’t write the original code, fixing bugs or security issues will often require Lovable again, and if you’ve used up your tokens, you’ll need to upgrade to a more expensive plan just to patch your own website. That’s a bad user experience and could become a major source of frustration.
But Still: A Game-Changer in the Making
Despite all these issues, I’m quite excited about these tools. The issues I encountered aren’t fundamental flaws, but rather growing pains. And most of them will be fixed. When they are, this will be absolutely transformative.
Watching Lovable generate code line-by-line reminded me of the early web, when images loaded slowly, line-by-line. Then came broadband and better browsers, and everything changed. The same leap is about to happen with AI-powered development, but on a much faster timeline.
Within a year, I expect tools like Lovable will automatically detect and fix rendering issues, understand visual layouts (via vision capabilities), reason about backend logic and security, offer fast integrations with third-party service, provide sophisticated real-time collaboration, and many other features. At that point, you’ll describe what you want, and get a polished, secure, fully functional app in no time.
The WordPress Killer?
One especially exciting use case is content management. Editing websites is still annoyingly complex. WordPress tried to solve it, but ended up bloated, inflexible, and painful to use. (The last time I tried to update a WordPress site, I needed o3 by my side, and I still failed.)
Lovable, by contrast, lets you make anything editable. Add sections, remove parts, update styles, all via natural language. This approach has the potential to entirely replace the WordPress model. It's vastly more powerful and intuitive. It’s also telling that this kind of innovation didn’t come from WordPress or Wix or Squarespace, but from a completely new actor. That’s the pattern of disruption: the new players don’t have to make the old work; they can rethink from scratch. Eventually, from a product point of view, the “new” will resemble the “old” again (people are asking for solutions to problems, not technical tools), but underneath, it will be fundamentally different - in this case, powered by orchestrated armies of LLMs doing all the work.
It took me about 8 hours to build and deploy my lab’s website end-to-end. Deployment was literally just the push of a button. I used to host an older version of the site on Netlify, but eventually redeployment broke because some outdated Node.js library threw errors I couldn’t (and didn’t want to) debug. I kept wondering: how is this still so complicated in the 2020s? With Lovable, it finally feels like that pain might be over. My prayers, it seems, have been heard.
Lessons learned
There are a few takeaway lessons here that go beyond Lovable.
First, AI tools are great at getting you 80% of the way there, very fast. But that last 20% is still hard. It often requires actual coding, real debugging, and a lot of patience. These are not truly “no-code” tools. They’re low-barrier tools that still assume some technical fluency.
Second, security is generally an afterthought. That’s a serious concern. These systems generate apps that look finished, but behind the scenes, basic security practices are often totally missing. We’re heading into a phase where lots of non-technical users deploy risky software without knowing it.
Third, while the tools feel liberating, they can also trap you. If the AI writes the code, the AI also needs to fix the code, and that can mean you’re easily locked into a tool where you pay per usage, just to maintain or secure your own product. Nothing against paying for a service, but the idea that you pay more for a software the more you use it still feels quite alien, at least for individual consumers.
And finally: we’re early. Very early. The problems today - lack of reasoning, no visual feedback, limited error recovery, etc. - will get smoothed out fast. When they do, the entire UX of web / app development may look completely different. And once again, it’s unlikely the incumbents will lead that change.
CODA
This is a newsletter with two subscription types. I highly recommend to switch to the paid version. While all content will remain free, all financial support directly funds EPFL AI Center-related activities.
To stay in touch, here are other ways to find me:
Thanks for sharing your experience! One of my collaborators used Cursor for some tool-building, but has found that co-pilot is still his best solution for coding speed ups. Have you compared Cursor and Lovable? I’ve found that the code solutions are never quite what I was trying to build, but sometimes it’s close enough.