Vibe-Coded Websites Are the Unlicensed Contractors of the Internet

Would you let a homeowner install their own furnace because YouTube made it look easy?

About 70% of small-business websites fail to generate meaningful leads or conversions. For HVAC contractors it is worse: more than 36,000 of the businesses in our database operate without a functional website at all. Now a wave of AI-generated "vibe-coded" sites is about to push both numbers in the wrong direction.

Tools like ChatGPT, Lovable, Bolt, and v0 let anyone type "build me an HVAC contractor website" and get something that looks like a website in minutes. It has a hero section, a services page, maybe a contact form. It looks professional the same way a YouTube furnace install looks professional, right up until the heat exchanger cracks.

I have spent the last year building infrastructure that uses LLMs as part of a purpose-built website pipeline for HVAC contractors, and studying what happens when you skip the infrastructure and let a chatbot do the whole job. The difference is not subtle.

What "vibe coding" actually means

Andrej Karpathy, the former head of AI at Tesla, coined the term in February 2025. He described it as an approach where you "fully give in to the vibes, embrace exponentials, and forget that the code even exists."

It sounds liberating, and for a weekend experiment it can be. The part that does not make the social-media posts: when Karpathy himself tried to build a real application (Nanochat), he admitted the result was "basically entirely hand-written" because the AI coding agents "just didn't work well enough at all and were net unhelpful." By February 2026 he had walked the term back, saying improved models made "vibe coding" passe, replaced by "agentic engineering", which is a polite way of saying you still need someone who knows what they are doing.

Andrew Ng, one of the most respected names in AI, put it plainly: "It's misleading a lot of people into thinking, just go with the vibes. AI-assisted development is a deeply intellectual exercise." He added that a full day of coding with AI assistance leaves him "frankly exhausted."

The numbers are not flattering

A CodeRabbit analysis of 470 open-source projects found that AI-generated code contained 1.7x more issues than human-written code. Readability problems ran 3x higher. Code duplication increased roughly 4x. Security vulnerabilities were 2.74x more common.¹

The Stack Overflow 2025 Developer Survey found positive sentiment toward AI coding tools dropping from over 70% to 60% in a single year. 46% of developers now actively distrust AI output accuracy; only 3% report being "highly trusting."³ The most telling figure comes from METR, which measured experienced developers as 19% slower when using AI tools, while they believed they were 20% faster. That is a 39-point gap between perception and reality.⁴

These are professional software engineers. Picture the gap when the person prompting the AI has never written a line of code.

What this looks like on an HVAC website

Make it concrete. A vibe-coded HVAC website usually does four things.

It looks right on the surface. The colors match, there is a phone number in the header, the services page lists the offerings. A homeowner who visits might not see a problem.

It falls apart under the hood. 45% of AI-generated code fails security tests and introduces OWASP Top 10 vulnerabilities.² This is not theoretical. A developer spent a weekend testing apps from one builder's public showcase, not hacking, just using Chrome DevTools, and documented what three hours of casual poking turned up:

• Wide-open databases. Several apps had security disabled entirely. Anyone with a browser could query the users table and get back every row: names, emails, subscription status, payment fields.
• Self-upgrade to premium. Two apps stored payment status in a user-writable field. You could open the browser console, set a paid flag on your own account, and have free premium forever.
• Secret API keys in the page source. One app shipped a live Stripe secret key (the sk_live_ key, not the publishable one) inside its JavaScript. Anyone could issue refunds, create charges, or open the payment dashboard.
• Full credentials exposed. Two apps served their .env file at domain.com/.env: database URLs, API keys, webhook secrets, the complete set of keys to the backend.
• Admin panels with no login. One app left /admin open with no authentication. Full dashboard, user management, data export.

In the developer's words: "None of this required any special tools or knowledge. A teenager with access to YouTube and Chrome DevTools could find all of this."

That is the core problem. The AI builds the app to work, not to be secure. Tell it "build me a site with user accounts and payments" and it skips security so the API calls succeed, puts keys where they are reachable so features function, and adds no protection because protection is not required for the demo to look good. The same builder had a documented incident where 170 of 1,645 generated applications exposed personal information, roughly 1 in 10.²

If your HVAC website collects estimate requests with names, addresses, and phone numbers, and it was vibe-coded without a security review, assume that data is exposed until proven otherwise.

It destroys your search visibility. We have run over 1.1 million Lighthouse audits on HVAC contractor websites, and about 18% load too slowly on mobile, with Largest Contentful Paint over 2.5 seconds.⁵ That is already costly, because Google treats slow mobile loading as a ranking signal. Vibe-coded sites, with their unoptimized images, bloated JavaScript, and missing meta tags, typically score worse. Without proper schema markup, local-SEO structure, and service-area pages, the site is invisible to both Google and AI search engines like ChatGPT.

It has no maintenance path. 60% of small-business websites have not updated content in over a year. A vibe-coded site makes that worse, because there is no architecture to maintain, just a blob of AI-generated code that nobody, including the model that wrote it, fully understands. When something breaks, you do not fix it. You throw it away and start over.

It gets the details wrong. LLMs hallucinate. They invent license numbers, fabricate response times, and make up equipment specifications. On a blog post a hallucinated stat is embarrassing. On a contractor website that claims EPA certifications you do not hold or advertises services you do not offer, it is a compliance risk.

You already understand this problem

If you run an HVAC business, you already know exactly what this looks like. You see it every day, in a different trade.

A homeowner watches a video and decides they can install a mini-split themselves. They buy the equipment online, hang the indoor unit, connect the line set, and it runs. It blows cold air. It looks like a working installation. Six months later: a refrigerant leak from a flare fitting that was never torqued to spec, a condensate line with no trap dripping into the wall cavity, no permit, no load calculation, no code compliance. The system worked, right up until it did not.

Peter Troast, who builds websites for high-performance contractors through Energy Circle, named the paradox: "The contractors that are doing the very best work tend not to do a very good job of telling their own story." The best technicians are often the worst marketers, and their websites do not reflect the quality of their work.

A vibe-coded website is the digital version of that YouTube mini-split. It looks like it works. There is no load calculation (conversion optimization), no torqued flare fittings (security hardening), no permit (accessibility compliance), and no maintenance plan (content updates).

How LLMs actually help, when used right

I am not anti-AI. Our entire website builder uses LLMs at multiple stages. The difference is in how they are used.

In our pipeline, LLMs generate content that a deterministic build system then validates. The AI writes service descriptions; the system checks those descriptions against the services the contractor actually offers. The AI generates FAQ answers; the system wraps them in proper FAQPage schema that Google can parse. The AI suggests page layouts; the system enforces UX minimums, so every page gets a phone CTA, every contact page gets a detailed estimate form, and every service-area page gets an interactive map with verified coordinates.

The AI is the tool. The infrastructure is the tradesperson.

This is the same principle that makes Bluon's AI troubleshooting tools work for technicians in the field. Callbacks drop 25 to 50% and service-manager calls fall by up to 80%, not because the AI replaced the technician, but because it was built into a system designed by people who understand HVAC service. Ed Smith of the Service Business Mastery podcast described the right approach in four words: "We listen, we measure, we fix, we prove." That is what professional infrastructure does.

The real cost of "free"

The 2025 Stack Overflow survey found 66% of developers cite "AI solutions that are almost right, but not quite" as their biggest frustration, and 45% say debugging AI-generated code takes more time than writing it from scratch.³ For a contractor, the cost is not debugging time. It is:

• Lost emergency calls. Mobile LCP (the time until the main content is visible) averages around 9 seconds on the slow tier of HVAC contractor sites, roughly 1 in 9 of them. Google calls anything over 4 seconds a poor experience and over 2.5 a degraded one, and 53% of mobile users abandon a site that takes longer than 3 seconds. The vibe-coded site is not loading fast enough for the homeowner whose furnace just died at midnight.
• Invisibility to AI search. One Reddit TechSEO thread captured the frustration: "Perfect technical SEO, schema, structured data, core web vitals. ChatGPT still ignores us." AI search engines recommend businesses on topical authority and structured data, neither of which a vibe-coded site provides.
• Trust erosion. A Legit Security survey found 1 in 4 consumers would lose trust in an application once they learned it used AI-written code. Picture a homeowner discovering that the site promising "25 years of experience" was generated by ChatGPT in ten minutes.
• No growth path. A vibe-coded site is a dead end. You cannot A/B test it, add multilingual support, integrate it with your CRM, or attach a blog with proper internal linking. It is a poster, not a platform.

What to look for

If you are deciding how to build or rebuild your site, ask five questions.

1. Who maintains the infrastructure? If the answer is "nobody" or "the same AI that built it," you have a YouTube mini-split install.
2. Where does the content come from? AI-generated content should be validated against your real services, service area, and certifications. If nobody checked, you are publishing hallucinations.
3. What happens when it breaks? A professional build has monitoring, version control, and a maintenance path. A vibe-coded site has "prompt it again and hope."
4. How does it perform on mobile? 64% of HVAC searches happen on a phone. Run a Lighthouse audit and check the mobile score. Under 70 means you are losing emergency calls.
5. Can it grow with the business? You need a platform that supports new service pages, service-area expansion, review integration, and evolving SEO requirements, not a static snapshot of what a chatbot thought your business looked like on one afternoon.

Bottom line

LLMs are a genuinely useful tool when you apply them properly. Applying them to a trade requires somebody with experience in that trade and experience with the tools. You would not trust a homeowner to install a commercial rooftop unit because they watched a video, or a general handyman to size ductwork for a two-story build. The tools are available to anyone; the expertise to use them correctly is not.

The same is true for a website that actually generates leads for an HVAC business. The AI can help. It needs a licensed operator.

For the speed half of this problem, see the mobile-speed analysis. For why even a technically clean site can stay invisible to AI assistants, see the ChatGPT post.