I’m trying to look at this from a neutral point of view which is why I believe enforcing a disclosure, when (AI) models are used, would benefit the community.
I believe using models can harm privacy when not used correctly because they’re more likely to output misleading or outright incorrect information due to “hallucinations”. And from my experience, more often than not is this the case with the projects I see.
I’m curious what others think about this, if you disagree, please let me know why.
There are different ways, checking if a
CLAUDE.md,AGENTS.mdorSKILLS.mdfile is present is often enough. Obviously this isn’t bullet proof but it’s better than no disclosure in my opinion.I didn’t say it has to be a tag, what I had in mind was a simple disclosure in the post description explaining how you used AI for the project (or just a simple “this project is AI assisted” if you dont know the extent, e.g: projects that aren’t yours).
I don’t necessarily have an issue with experienced developers using AI to write the code for them which is what I mean with “when not used correctly”. I do take issue with inexperienced developers that create privacy related software without proper knowledge of what their code actually does (AKA vibe-coding) and going around promoting it as “privacy-friendly” and “secure” while that may not be the case.
Maybe there are better ways to go about this though, which is partly why I created this post.
Cmon now…leaving Agents.md in the repo is bush-league :)
You can bet your bottom dollar if the claude.md or agents.md hasn’t been added to the gitignore, then it’s -
intentional
actual slop (which you can more easily tell in 2 seconds of looking at the readme.md)
Same issue before though, be the actual disclosure a tag or a statement.
Slop is galling for sure but if we’re talking about trust…well…why trust anyone based on what they say (or don’t say)?
“Trust but verify” means I still verify. If the thing is mission critical or important to you, then you SHOULD verify, always. Hell, if the threat profile is high, sandbox it and sniff the packets it sends.
Personally, I think you having to look at the porn I look at is sufficient punishment for snooping on me :)
Some of this is social engineering. “I have nothing I want to show” works even better when I literally can’t (because X isn’t on my phone or Y doesn’t run on my PC)
I think so.
Beyond the obvious slop (which is exceedingly obvious), you’re going to waste a lot of cognitive bandwidth trying to sniff out AI.
May as well assume AI is used by default and then do the due diligence on the privacy aspects that are of concern to you.
That holds true whether the project is hand coded or AI assisted. If it’s important, poke it.
Assume all software is “guilty until proven innocent”
But please don’t fall into the FuckAI mindset because llm=bad.
Most devs aren’t going to perform contrition for AI use to appease vocal minority. They’re just not. There’s no up side for them and it reads desperate.
I’m happy to tell you if asked because IDGAF if you use my shit or not. If I’m sharing it, it’s free, open source and shared out of love. I have no brand or portfolio I’m trying to boost. If you can’t see the USP, it’s probably not for you - and that’s fine.
It also usually means I made it for me first, so I’m probably not out to steal bitcoin or nudes. Still, do your own due diligence and poke it. I would.