There is a fine line between "not proofreading" and "not paying attention at all to the output." There are many things that look like they work, but won't pass a sniff test, especially when it comes to security or performance. I witnessed agents create "private" endpoints that had no authentication, but sent user IDs as part of the payload and trusted them.