Sun, Jul 12, 2026NY 6:50 PM EDTLA 3:50 PM PDTLON 11:50 PM GMT+1PAR 12:50 AM GMT+2DXB 2:50 AM GMT+4SIN 6:50 AM GMT+8TOK 7:50 AM GMT+9SYD 8:50 AM GMT+10UTC 10:50 PM UTCBTC delayed quote CoinGeckoETH delayed quote CoinGeckoFresh explainers, verified sources, practical next steps
Strangely Useful

Clear, verified help for apps, money, security, AI, and everyday tech problems.

Sections
Start with topic hubsSpot fake supportFix a wrong Cash App paymentLatest storiesTopicsMoney & ChargesSearchInternet & CultureTech & AISecurity & TrustPractical TechnologyMoney & PaymentsBrowser & PrivacyAI ToolsSoftware & ServicesInternet Culture & Everyday WorkflowsHidden HistoryUseful ThingsEntertainmentQuizzesAboutHow we workHow guides are madeNewsletter
AI Tools - list

Treat AI-Written Code Like a Pull Request From a Stranger

Generated code can contain insecure defaults and invented packages. Review the diff before running it.

Last verified July 11, 20262 sources checkedEditorial standards
AI-generated code passes through review checkpoints.
Treat AI-Written Code Like a Pull Request From a StrangerAI-generated code passes through review checkpoints.Generated code enters the normal review pipeline. Illustration: Strangely Useful. Generated for Strangely Useful; provenance retained.
In this story7 sectionsDefine intentCheck dangerous edgesVerify dependenciesRun it in a contained environmentTrace data through the changeKeep attribution and licensing visibleReview configuration alongside source

Never run or merge AI-generated code until a person reviews the exact diff, dependencies and commands. A plausible code block does not carry accountability.

Define intent

Write what the change should do and must not touch. Review small diffs; sprawling refactors can hide unrelated deletions.

Check dangerous edges

  • Authentication and authorization.
  • Input validation and injection.
  • Secrets and environment files.
  • Shell commands and network calls.
  • New packages and install scripts.
  • Logs that may expose data.

Verify dependencies

Confirm every package exists in the official registry and is the intended project. Models can invent believable names. Inspect lockfile changes before installing.

Test failure paths

Add tests for malformed input, missing permissions, timeouts and repeats. Run static analysis and the existing suite. A generated test repeating the implementation is not independent evidence.

Keep the branch protections used for any unfamiliar contributor. Speed matters only while the review surface remains understandable.

Run it in a contained environment

Use a disposable branch, test account, container or sandbox with no production secrets. Deny outbound network access unless the test requires it. A review can miss a command hidden in a build hook, so containment complements—not replaces—reading the code.

Trace data through the change

Identify every input, transformation, storage location and output. Check authorization at the server boundary rather than trusting a generated user interface. Confirm logs do not capture passwords, tokens or full uploaded documents.

Challenge the happy path

Try an empty value, oversized input, wrong account, expired token, duplicate request and interrupted network call. Check that retries do not create duplicate charges or records. Security failures often live where the sample prompt did not ask the model to look.

Keep attribution and licensing visible

Do not accept the model's assurance that code is original or license-safe. Review suspiciously distinctive blocks, package licenses and repository policy. Record AI assistance if the project's contribution rules require it.

Review configuration alongside source

Generated infrastructure files can expose a service publicly, weaken security headers or grant a wildcard permission even when the application code looks harmless. Include manifests, workflow files, database migrations and deployment settings in the diff. Run a dry deployment and inspect the planned resources before applying changes to a live account.

Have a second reviewer inspect high-impact changes without first reading the model's explanation. Independent review can catch assumptions that the generated summary made sound settled, especially around permissions, destructive migrations and fallback behavior.

Require a clean review before merge.

Sources & methodology2 sources - evidence for this revision

The records below show what each source supports in this published revision.

  1. OWASP Top 10 for LLM ApplicationsOWASPreference - Retrieved Jul 12, 2026

    What it supportsOWASP identifies insecure output, supply-chain and excessive-agency risks.

  2. Secure by DesignCISAreference - Retrieved Jul 12, 2026

    What it supportsCISA promotes secure defaults.

The Useful Dispatch

Keep the good rabbit holes coming.

The weekly email is being prepared. No address is collected yet.

See the newsletter plan →