I’m trying to look at this from a neutral point of view which is why I believe enforcing a disclosure, when (AI) models are used, would benefit the community.
I believe using models can harm privacy when not used correctly because they’re more likely to output misleading or outright incorrect information due to “hallucinations”. And from my experience, more often than not is this the case with the projects I see.
I’m curious what others think about this, if you disagree, please let me know why.
OK, seeing you asked for pushback.
TL;DR: Tool disclosure is a poor proxy for doing your own due diligence.
“Forced disclosure about AI use in projects” sits sorta funny for a privacy based group, doesn’t it? Kinda “Papers, please”. Smells bad.
How would you even verify “did this project use an LLM” anyway? If I don’t disclose, what’s the back up, pistols at dawn? Read the code (if available), or get a third party checker…like an LLM? Do you have capacity to audit? Or is it just “trust me, bro” (which if you’re actually concerned about due diligence, isn’t enough).
More to the point: disclosure tag doesn’t change whether the code is accurate, safe or good. Shitty code is shitty either way, so the tag doesn’t touch the actual harm you’re concerned about.
What it does do is create two classes: labeled projects get extra scrutiny, unlabeled ones get a free pass, “no disclosure, must be hand-written, must be fine.” Backwards. Honest disclosure gets tarnished as slop, staying quiet gets rewarded. (Go check !self hosted right now for such an occurrence).
Better footing: assume ALL software in 2026 has had AI assistance, and review it on its merits.
There are better quality signals than hand on bible “are you now or have you ever been” oaths or performative humiliation for the FuckAI crowd.
For what it’s worth, I use an LLM to write code because I’ve got osteoarthritis and typing all day isn’t free. But if you think that means logging into Claude and telling it “make this for me, no mistakes”, you couldn’t be more wrong.
I define the project, I pseudo code it with pen and paper (hurts my hands less) I scope every ticket (yes, I make the llm go thru 3 stage ticket review), I review outputs, I smoke test and I even call in outside reviewers to spot check sometimes. I’m an absolute bastard to it in QA. I do that because when I’m done, I can stand in front of it and honestly tell you I made this, even if my fingers didn’t type most of it. And if it’s fucked, that’s on me, not “hallucinations”.
So, what box do I tick - “AI-assisted”? “Vibe slop”?
That tells you nothing about who’s accountable or how it was made. It carries no nuance and silently resolves to “ignore this one, a robot wrote it,” … which is backwards for projects where the human did more QA than most “fully human” teams ever do.
As always, ICBW and YMMV.
There are different ways, checking if a
CLAUDE.md,AGENTS.mdorSKILLS.mdfile is present is often enough. Obviously this isn’t bullet proof but it’s better than no disclosure in my opinion.I didn’t say it has to be a tag, what I had in mind was a simple disclosure in the post description explaining how you used AI for the project (or just a simple “this project is AI assisted” if you dont know the extent, e.g: projects that aren’t yours).
I don’t necessarily have an issue with experienced developers using AI to write the code for them which is what I mean with “when not used correctly”. I do take issue with inexperienced developers that create privacy related software without proper knowledge of what their code actually does (AKA vibe-coding) and going around promoting it as “privacy-friendly” and “secure” while that may not be the case.
Maybe there are better ways to go about this though, which is partly why I created this post.
Cmon now…leaving Agents.md in the repo is bush-league :)
You can bet your bottom dollar if the claude.md or agents.md hasn’t been added to the gitignore, then it’s -
intentional
actual slop (which you can more easily tell in 2 seconds of looking at the readme.md)
Same issue before though, be the actual disclosure a tag or a statement.
Slop is galling for sure but if we’re talking about trust…well…why trust anyone based on what they say (or don’t say)?
“Trust but verify” means I still verify. If the thing is mission critical or important to you, then you SHOULD verify, always. Hell, if the threat profile is high, sandbox it and sniff the packets it sends.
Personally, I think you having to look at the porn I look at is sufficient punishment for snooping on me :)
Some of this is social engineering. “I have nothing I want to show” works even better when I literally can’t (because X isn’t on my phone or Y doesn’t run on my PC)
I think so.
Beyond the obvious slop (which is exceedingly obvious), you’re going to waste a lot of cognitive bandwidth trying to sniff out AI.
May as well assume AI is used by default and then do the due diligence on the privacy aspects that are of concern to you.
That holds true whether the project is hand coded or AI assisted. If it’s important, poke it.
Assume all software is “guilty until proven innocent”
But please don’t fall into the FuckAI mindset because llm=bad.
Most devs aren’t going to perform contrition for AI use to appease vocal minority. They’re just not. There’s no up side for them and it reads desperate.
I’m happy to tell you if asked because IDGAF if you use my shit or not. If I’m sharing it, it’s free, open source and shared out of love. I have no brand or portfolio I’m trying to boost. If you can’t see the USP, it’s probably not for you - and that’s fine.
It also usually means I made it for me first, so I’m probably not out to steal bitcoin or nudes. Still, do your own due diligence and poke it. I would.