Skip to main content
Full Stack HVAC Full Stack HVAC

Vibe-Coded Websites Are the Unlicensed Contractors of the Internet

Full Stack HVAC ·

Would you let a homeowner install their own furnace because YouTube made it look easy?

70% of small business websites fail to generate meaningful leads or conversions. For HVAC contractors, it's worse: over 36,000 HVAC businesses in our database operate without a functional website at all. And now a new wave of AI-generated "vibe-coded" sites is about to make both numbers worse.

Here's what's happening: tools like ChatGPT, Lovable, Bolt, and v0 let anyone type "build me an HVAC contractor website" and get something that looks like a website in minutes. It has a hero section, a services page, maybe even a contact form. It looks professional the same way a YouTube furnace install looks professional — right up until the heat exchanger cracks.

We've spent the last year building infrastructure that uses LLMs as part of a purpose-built website generation pipeline for HVAC contractors. We've also studied what happens when you skip the infrastructure and just let a chatbot do the whole job. The difference isn't subtle.

"Vibe Coding" — What It Actually Means

Andrej Karpathy, the former head of AI at Tesla, coined the term in February 2025. He described it as an approach where you "fully give in to the vibes, embrace exponentials, and forget that the code even exists."

It sounds liberating. And for weekend experiments, it can be.

But here's the part that doesn't make the social media posts: when Karpathy himself tried to build a real application (Nanochat), he admitted the result was "basically entirely hand-written" because AI coding agents "just didn't work well enough at all and were net unhelpful."

By February 2026, even Karpathy walked the term back, saying improved LLMs made "vibe coding" passe, replaced by "agentic engineering" — which is a polite way of saying you still need someone who knows what they're doing.

Andrew Ng, one of the most respected names in AI, was more direct: "It's misleading a lot of people into thinking, just go with the vibes. AI-assisted development is a deeply intellectual exercise." He also admitted that a full day of coding with AI assistance leaves him "frankly exhausted."

The Numbers Are Brutal

A CodeRabbit analysis of 470 open-source projects found that AI-generated code contained 1.7x more issues than human-written code. Readability issues spiked 3x higher. Code duplication increased roughly 4x. Security vulnerabilities were 2.74x more common.

The Stack Overflow 2025 Developer Survey found that positive sentiment toward AI coding tools dropped from over 70% to 60% in a single year. 46% of developers now actively distrust AI output accuracy. Only 3% report being "highly trusting."

The most telling stat comes from METR, which found that experienced developers were 19% slower when using AI tools — despite believing they were 20% faster. That's a 39-percentage-point gap between perception and reality.

And these are professional software engineers. Imagine the gap when the person prompting the AI has never written code at all.

What This Looks Like for HVAC Websites

Let's make this concrete. A vibe-coded HVAC website typically:

Looks right on the surface. The colors match, there's a phone number in the header, the services page lists your offerings. A homeowner who visits might not immediately see a problem.

Falls apart under the hood. 45% of AI-generated code fails security tests and introduces OWASP Top 10 vulnerabilities. This isn't theoretical. A developer recently spent a weekend testing apps from the Lovable showcase — not hacking, just using Chrome DevTools — and documented what they found in three hours of casual testing:

  • Wide-open databases. Multiple apps had security completely disabled. Anyone with a browser could query the users table and get back every row — names, emails, subscription status, payment fields.
  • Self-upgrade to premium. Two apps stored payment status in a user-writable field. You could literally open the browser console and set is_paid: true on your own account. Free premium forever.
  • Secret API keys in the page source. One app had a live Stripe secret key (sk_live_) bundled in its JavaScript — not the publishable key, the secret key. Anyone could issue refunds, create charges, or access the entire payment dashboard.
  • Full credentials exposed. Two apps served their .env file at domain.com/.env — database URLs, API keys, webhook secrets. The complete set of keys to take over the entire backend.
  • Admin panels with no login. One app had /admin accessible without authentication. Full dashboard, user management, data export.

As the developer put it: "None of this required any special tools or knowledge. A teenager with access to YouTube and Chrome DevTools could find all of this."

This is the core problem: *the AI builds the app to work, not to be secure. When you tell it "build me a site with user accounts and payments," it skips security so the API calls succeed, puts keys where they're accessible so features function, and doesn't add protection because protection isn't required for the demo to look good. Lovable separately had a documented incident where 170 out of 1,645 generated applications exposed personal information*. That's roughly 1 in 10.

If your HVAC website collects estimate requests with names, addresses, and phone numbers — and it was vibe-coded without a security review — you should assume that data is exposed until proven otherwise.

Destroys your search visibility. We've run Lighthouse audits on over 222,000 HVAC contractor websites. The median mobile performance score is 55.8 out of 100. That's already catastrophic — Google considers anything under 50 a failing grade. Vibe-coded sites, with their unoptimized images, bloated JavaScript, and missing meta tags, typically score worse. And without proper schema markup, local SEO structure, and service area pages, you're invisible to both Google and AI search engines like ChatGPT.

Has no maintenance path. 60% of small business websites haven't updated content in over a year. A vibe-coded site makes this worse because there's no architecture to maintain — just a blob of AI-generated code that nobody, including the AI that wrote it, fully understands. When something breaks, you don't fix it. You throw it away and start over.

Gets the details wrong. LLMs hallucinate. They invent license numbers, fabricate response times, and make up equipment specifications. For a blog post, a hallucinated stat is embarrassing. For a contractor website that claims EPA certifications you don't hold or advertises services you don't offer, it's a compliance risk.

You Already Understand This Problem

Here's the thing: if you're an HVAC contractor, you already know exactly what this looks like. You see it every day — just in a different trade.

A homeowner watches a YouTube video and decides they can install a mini-split themselves. They buy the equipment online, hang the indoor unit, connect the line set, and it runs. It blows cold air. It looks like a working installation.

Then six months later: refrigerant leak from a flare fitting that wasn't torqued to spec. Condensate line with no trap, dripping into the wall cavity. No permit, no load calculation, no code compliance. The system "worked" — right up until it didn't.

Peter Troast, who builds websites for high-performance contractors through Energy Circle, identified the core paradox: "The contractors that are doing the very best work tend not to do a very good job of telling their own story." The best technicians are the worst marketers. Their websites don't reflect their work quality.

A vibe-coded website is the digital equivalent of that YouTube mini-split install. It looks like it works. But there's no load calculation (conversion optimization), no proper flare fittings (security hardening), no permit (accessibility compliance), and no maintenance plan (content updates).

How LLMs Actually Help — When Used Right

We're not anti-AI. Our entire website builder uses LLMs at multiple stages of the build process. The difference is how they're used.

In our pipeline, LLMs generate content that gets validated by a deterministic build system. The AI writes service descriptions — but the system checks that those descriptions match the services the contractor actually offers. The AI generates FAQ answers — but the system wraps them in proper FAQPage schema markup that Google can parse. The AI suggests page layouts — but the system enforces UX minimums: every page gets a phone CTA, every contact page gets a detailed estimate form, every service area page gets an interactive map with verified coordinates.

The AI is a tool. The infrastructure is the tradesperson.

This is the same principle that makes Bluon's AI troubleshooting tools work for technicians in the field. Callbacks are down 25-50% and service manager calls reduced up to 80% — not because the AI replaced the technician, but because the AI was integrated into a system designed by people who understand HVAC service.

Ed Smith, from the Service Business Mastery podcast, described the right approach in four words: "We listen, we measure, we fix, we prove." That's what professional infrastructure does. It listens to what the contractor needs, measures performance with real data, fixes problems with tested solutions, and proves the results.

The Real Cost of "Free"

The 2025 Stack Overflow survey found that 66% of developers cite "AI solutions that are almost right, but not quite" as their biggest frustration. 45% say debugging AI-generated code takes more time than writing it from scratch.

For a contractor, the cost isn't debugging time. It's:

  • Lost emergency calls. Mobile LCP (the time until your page's main content is visible) averages 9.2 seconds across HVAC contractor websites. Google considers anything over 2.5 seconds a poor experience. 53% of mobile users abandon sites that take longer than 3 seconds. Your vibe-coded site isn't loading fast enough for the homeowner whose furnace just died at midnight.
  • Invisible to AI search. One Reddit TechSEO thread (17 upvotes, 41 comments) captured the frustration perfectly: "Perfect technical SEO, schema, structured data, core web vitals. ChatGPT still ignores us." AI search engines recommend businesses based on topical authority and structured data — neither of which a vibe-coded site provides.
  • Trust erosion. A Legit Security survey found that 1 in 4 consumers would lose trust in an application if they learned it used AI-written code. Now imagine a homeowner discovers that the contractor website promising "25 years of experience" was generated by ChatGPT in 10 minutes.
  • No growth path. A vibe-coded site is a dead end. You can't A/B test it, you can't add multilingual support, you can't integrate it with your CRM, you can't add a blog with proper internal linking. It's a poster, not a platform.

What to Look For

If you're evaluating how to build or rebuild your website, ask these questions:

  1. Who maintains the infrastructure? If the answer is "nobody" or "the same AI that built it," you have a YouTube mini-split install.
  1. Where does the content come from? AI-generated content should be validated against your actual business data — your real services, your real service area, your real certifications. If nobody checked, you're publishing hallucinations.
  1. What happens when it breaks? A professional build has monitoring, version control, and a maintenance path. A vibe-coded site has "prompt it again and hope."
  1. How does it perform on mobile? 64% of HVAC searches happen on mobile. Run a [Lighthouse audit](https://pagespeed.web.dev/) and check your mobile performance score. If it's under 70, you're losing emergency calls.
  1. Can it grow with your business? You need a platform that supports new service pages, service area expansion, review integration, and evolving SEO requirements. Not a static snapshot of what ChatGPT thought your business looked like on one afternoon.

The Bottom Line

LLMs are a genuinely useful tool — if you apply them properly. But applying LLMs to a trade requires somebody with experience in that trade and experience with LLMs.

You wouldn't trust a homeowner to install their own commercial rooftop unit just because they watched a video. You wouldn't trust a general handyman to size ductwork for a two-story build. The tools are available to anyone, but the expertise to use them correctly isn't.

The same is true for building a website that actually generates leads for your HVAC business. The AI can help. But it needs a licensed operator.

Full Stack HVAC helps contractors research, compare, and build their complete digital stack — backed by data from 96,000 contractors, 404,000 reviews, and 222,000 website audits. Start Free Trial

Full Stack HVAC helps contractors research, compare, and build their complete digital stack — backed by data from 96,000 contractors, 404,000 reviews, and 222,000 website audits. Start Free Trial

Frequently Asked Questions

What is vibe coding?
Vibe coding is a term coined by Andrej Karpathy in 2025 describing an approach where you let AI write code without reviewing it. Research shows AI-generated code has 1.7x more issues and 2.74x more security vulnerabilities than human-written code.
Are AI-built websites safe for HVAC contractors?
AI-built websites without professional oversight carry significant risks. 45% of AI-generated code fails security tests, and one popular AI builder (Lovable) had 10% of generated apps expose personal information. Professional infrastructure validates AI output against your actual business data.
How does Full Stack HVAC use AI differently?
Full Stack HVAC uses LLMs as tools within a purpose-built pipeline. AI generates content that gets validated by a deterministic build system, ensuring correct services, proper schema markup, UX standards, and verified map coordinates. The AI is the tool; the infrastructure is the tradesperson.
What is wrong with using ChatGPT to build my HVAC website?
ChatGPT lacks context about your specific business, certifications, service area, and local codes. LLMs hallucinate license numbers, fabricate response times, and miss critical local SEO elements like service area pages and structured data that drive both Google and AI search visibility.