There's been a lot of talk about AI for months, well, I guess years at this point, and it's not going away anytime soon. What has been happening more and more in recent months is the introduction of more vibe-coded projects in the emulation scene.

In some instances, vibe-coded projects are accepted by the community with open arms, while others are essentially decreed as heresy. Something I haven't been able to really figure out is how to confidently determine when a project might be embraced or if it'll be blasted to smithereens.

Obviously, much of that has to do with how the project was created, how it's being presented, and frankly, how the developer might respond to criticism. There are obvious cases of when vibe-coded "AI slop" is just someone trying to half-heartedly make a quick buck or falsely present something as being able to do something that it isn't actually able to do.

There are also times when a forked project that might have been partially created by vibe-coding is nothing more than someone trying to expand on the original idea. This happens quite often, whether you realize it or not, and if you need any proof, just go digging around on GitHub for a little while.

The Middle Ground

Then there's a kind of "middle-ground" where vibe-coded pull requests are made to an open source project. At that point, it's then up to the developer of the main project to determine whether to accept the request and implement whatever changes or reject it outright.

In early May, the RPCS3 account posted the following:

The RPCS3 team didn't just outright say it would ban all vibe-coded pull requests. Instead, it implemented some guidelines, which include "We won't ban if disclosed, except for abuse cases, e.g. throwing a lot of random slop at us to see what passes reviews."

This is a good outcome for the community, as it could allow properly reviewed code to potentially fix problems or add features. Not only that, but disclosing the use of AI-generated code can go a long way to gaining trust.

Speaking of which, I recently wrote a news piece about what seemed like an exciting new app called "Starboard." Basically, the app provides a means to use PortMaster on Android, which is something I've been wanting for a while.

Initially, things looked mostly on the up-and-up, despite the full source code not being published to the GitHub repo. That gave me a bit of pause, but after seeing the developer respond, explaining why it's closed source, and mentioning that they've "chatted in the Portmaster devs Discord," my concerns were eased.

As luck would have it, one of the PortMaster devs replied to a thread on Reddit that sheds some light on what's really going on:

Comment
by u/BlightWyrm from discussion
in SBCGaming

And just like that, while it started out as a promising and exciting new app, pretty much all of the credibility has been tossed out the window.

Bad Actors Can Ruin Everything

On the flip side of things, I stumbled across an article on the Malwarebyes | Labs Blog titled "Retro gaming fans are the new target for fake GitHub malware." The article covers a homebrew project for the PlayStation Vita called "EQVita."

While there is a legitimate EQVita project on GitHub, there's also a clone project by the same name. At first glance, it might be difficult to even know that it's technically a modified version, as it doesn't show as being a fork. Instead, the person simply downloaded the source code, made changes to it, and reuploaded the infected code.

I recommend heading over and reading the full blog post, as it details how the infected app actually works. But I will say that while there are some indicators on how to tell an original project from a forked/modified one, none of that helps if you don't even know that there is an "original" project.

This is potentially a big problem for many of us in the retro gaming and emulation space, in that we get excited about new apps or tools that didn't previously exist. So when those are discovered, we flock to download said app or tool, not always knowing that it was vibe-coded and might actually be malicious.

ThunderPass Screenshots

Another example of an app falling in this category is ThunderPass, which was expected to essentially be "StreetPass" for Android. The individual took a privately-shared APK, tore it down, then tried filling in the remaining gaps with AI-generated code. One reason why this is more egregious than aPS3e in my eyes is because of a comment provided by one of the Cocoon developers who pointed out "Security Concerns:"

Security Concerns - The developer of this, despite claiming "25 years of IT and Security experience", hardcoded his API Key Secrets into a commit in the public repo, even despite the AI comments telling him not to. This raises concerns as in his roadmap he claims to be integrating "🌍 Power Surge Events — location-based 2× Volt multipliers" which would mean uploading users location data to his own server - which he has clearly demonstrated he can't properly secure.

Needless to say, ThunderPass never really took off in the community in a way that many hoped it would. That said, the most recent release is from May 11, but the most recent GitHub commit was to "Reset repo to README and image only," with all of the code being removed.

Quit Babbling, What's Your Point?

The use of AI is still in its infancy, which is both good and bad, with a never-ending list for either side. It can be used as a tool to create and assist in developing new apps and tools, or even fixing years-old software bugs. It can also be used by others as a modern attempt at a "get rich quick" scheme, leaving a path of destruction in its wake.

While it seems that much of the community is ready to write off just about anything that is vibe-coded, it might be worth taking a deep breath, counting to ten, and doing some research before doing so. Even if the project is for something you've been wanting but didn't know how to make happen yourself, if it's not done correctly, you might end up with an even bigger headache.

A Few Questions