• 06 Nov, 2025 *

I don’t code in Rust. Probably because I can’t code in Rust. Claude Sonnet, however, can code in Rust. So, armed with Zed, GitHub Copilot and an idea, just how dangerous could I get writing code in a language I do not understand. Turns out, Claude can make an app out of that.

Now, this isn’t my first foray into vibe coding. I have a few Bash scripts that are the sole product of Claude Sonnet. These, however, are easy to rationalise, because I understand Bash. I wanted a script that would do two things:

• Run OCSP checks on a certificate, fetched from the Internet, and print the results to stdout.
• Dump the essential details of a certificate in a readable format, also fetched from the Internet.

Prompting resulted in a 950 line script that does exactly what I want it to, and looks pretty doing it. I did ask Claud Sonnet to flex on using emojis, banners and different colour text to stretch what iTerm2 on my Macbook is capable of. Once written, it was easy to review, and easy to test, and easy to square away as job done. I had Claude write another script that takes a target domain as an argument, and then reports back on whether it can resolve addresses from a set list of hostnames. If it can’t, it marks this with a red circle emoji with the full hostname and a reason. If it can, it will show a green circle emoji, and it’ll tell you whether the address returned is defined as an RFC1918 address, or if it is routable across the Internet. It wraps this up with a summary.

Emojis bro? Seriously? Yes. I fucking love them. At a glance, I can differentiate between good and bad, and a variety of states in between.

So, being reasonably familiar with asking Claude to work its magic for me (and bickering over the details), and already being impressed with the quality of the README it’ll put together, I got cracking asking Claude to build a reasonably complex Rust CLI app for me.

What I ended up with was a few thousand lines, tests included, of an application I called netwatch, that was developed to do network analysis. I started off at cipher suite analysis, so Netwatch would take an argument like:

$ netwatch tls --endpoints https://example.com --verbose

and return a security assessment of the TLS ciphers that it found on the target. Pretty colours, informative emojis, the whole nine yards. It used a five-tier rating system to rank discovered ciphers from Excellent to Broken. For example:

Starting TLS validation for 3 endpoints...
Validating google.com:443 ... EXCELLENT
Validating github.com:443 ... EXCELLENT
Validating badssl.com:443 ... GOOD
=== VALIDATION SUMMARY ===
Total endpoints: 3
Successful connections: 3
Failed connections: 0
=== SECURITY DISTRIBUTION ===
Excellent: 2
Good: 1
Acceptable: 0
Weak: 0
Broken: 0
=== DETAILED RESULTS ===
🟢 google.com:443 - EXCELLENT
🟢 github.com:443 - EXCELLENT
🟢 badssl.com:443 - GOOD

If you provided the --cipher-analysis switch, you’d get output similar to:

🟢 google.com:443 - EXCELLENT
✓ TLSv1.2 (28 cipher suites)
Security range: WEAK to EXCELLENT
1. TLS_AES_256_GCM_SHA384 (EXCELLENT)
Key Exchange: TLS 1.3
Authentication: TLS 1.3
Encryption: AES-256-GCM
MAC: AEAD (Authenticated Encryption)
Recommendation: ✅ Recommended - State-of-the-art security

2. TLS_RSA_WITH_AES_128_CBC_SHA (WEAK)
Key Exchange: RSA
Authentication: RSA
Encryption: AES-128-CBC
MAC: SHA-1
Recommendation: ❌ Avoid - No forward secrecy, vulnerable to certain attacks

This CLI application was shaping up to be a beast. I say was because it was consigned to the great bit bucket in the sky. The rationale for this was provided at the very top of the post. I can’t code in Rust. While it wasn’t doing anything dangerous, I couldn’t read the code, rationalise about it, modify it or defend it. Completely blind to the methods used to implement the desired functionality, it wasn’t code that I was happy having available for use across the department, or worse, other teams across the company. What I could do was monitor this thing while it ran, thanks to Wireshark. I’d specifically asked Claude to respect its targets, and comparative testing using nmap revealed that netwatch wasn’t hitting them any harder than nmap was. Still, this didn’t feel right.

In my head, this is where vibe coding can get dangerous. I wanted a tool that would tell me things about a target that I pointed out. How safe are the cipher suites? What does the certificate chain look like? Are modern ciphers and algorithms implemented? I got that tool, but reading the code made little sense to me, especially when Claude was using idiomatic Rust. I could have just shrugged that off. If I needed to fix something, Claude got us this far, surely it could have fixed something that broke, or amend something that needed it? Well, no.

What I have discovered about AI coding agents is that you can prompt them to do some Pretty Bad Shit™. That isn’t a revolutionary statement. What that is, is an acknowledgement that a few misguided prompts can get an app to behave very badly, or tie Claude up in knots. Like a puppy, it will die trying to please you. If you’re letting it code in the background while you focus on something else, read its summary and click the Keep All button, you can deploy an app that contains changes that are harmful, dangerous our outright destructive.

I also had to question the consistency across iterations. In two threads, a few days apart, Claude would produce code different enough to even stand out to my inexperienced eye. What happens when I come back in a few months? A year? God forbid, two years? Is agentic AI sustainable over the long term, or is it a quick start that produces code useable today, that you come to manage on your own in the future? Today? No idea. I haven’t been using agents to write code for long enough. What I do have are four small Python projects that I’ve asked Claude to build. Robust looking. Well tested. Excellently documented. Those I’ll talk about in my next agentic AI post, Vibing Well, due whenever.

#ai #programming