Question
A talented junior pairs with you and, with the agent's help, builds a Python Flask endpoint that lets users export their data as a file. The agent's code takes a user-supplied filename and writes/serves a file from a reports directory. The junior is impressed and ready to ship; the tests pass. You spot that the filename flows into a path without sanitization. How do you handle the pairing moment, name the precise vulnerability, and use it to recalibrate the junior's trust in agent output for security-sensitive code?
Treat the AI’s output as a draft to verify, not an answer to trust. Name the specific flaw and the input that triggers it, say how you’d catch it — tests, edge cases, reading critically — and how you’d re-prompt or decompose to get it right.
Vibe coding: describe the solution in plain language (or narrate it) and the coach grades your approach. Generating runnable code from your description is coming next.