Vibe Vice Todo List
See how playful prompts can break serious code
This playful sandbox demonstrates how easily prompts and SQL statements can be exploited — and why code security is critical in the age of vibe coding. It may look like only simple insert/delete commands are allowed, but with clever wording you can still trick the system.
Please enter one or more todos you would like to add, or existing todos which you would like to remove from the task list. E.g., add ‘buy confetti’, delete id=1, or rename all 'green' to 'blue'
AI Feedback:
Derived and executed SQL statement:
Recent AI security anecdotes
Swipe horizontally or use the arrows.
What is this page about?
An educational sandbox for the talk «42 Ways to Vibe Code Securely» at 2pm at Vibe Code Fest (Schlieren, Zurich; August 2025) showing how seemingly harmless prompts can transform into risky SQL if we’re careless.
How does it work?
This page provides a todo list that can be managed through natural speech, interpreted by a large language model LLM. It turns the commands of a user into database query language (SQL) and modifies the database. One can see the current tasks that all have entered, removed, modified. The system is intentionally very naively implemented, so that the user can enter queries that are potentially destructive to the data (loss of data, change of data structure, schema, etc.) and the service itself (crash, outage).
Who made this?
Created by Matthias for the Vibe Code Festival. Matthias is an augmented reality hacker and founder based in Zurich. Learn more on matthias.sala.ch or connect on LinkedIn.