6 checks before merging AI-agent generated code

A developer has published a checklist for reviewing AI-agent-generated code before merging, highlighting risky areas such as dependency changes, sensitive paths, and missing tests. The checklist is packaged as a Python CLI tool that scores diffs to flag potential issues. The developer invites community feedback on additional risk categories.

AI coding agents are useful because they can make large changes quickly. That is also the reason I do not want to merge their patches just because the final answer says “done”. The risky failure mode is not usually obvious broken code. It is a plausible patch that quietly touches a risky area. Here is the checklist I use before merging AI-agent generated diffs. Look for package files and lockfiles: package.json requirements.txt pyproject.toml go.mod Dependency changes should get explicit review. A tiny source diff plus a large dependency change is not tiny. Slow down if the patch touches: .env parsing,These are exactly the areas where “it builds” is not enough. Not every patch needs new tests, but source changes with zero test changes should be visible in review. At minimum, the author/agent should provide real command output showing what was run. Large generated files can bury important edits. If a patch changes a minified file, lockfile, generated client, or build artifact, review the source of that generated output too. Search for suspicious strings: api key token secret password Even test fixtures deserve a second look. I want to see the command and real result, not just a summary. Good: npm test 18 passed Weak: Tests should pass. I packaged this workflow as a small local Python CLI that scores a unified diff before merge. Example: git diff change.patch python src/agent change risk auditor.py audit --diff change.patch It flags dependency changes, sensitive paths, source-without-tests, large/generated changes, and secret-like literals. The point is not to replace human review. The point is to make “slow down and inspect this patch” visible before merge. I put the checklist and example report here: There is also a small paid Gumroad kit for teams that want the source, CI template, and Pro workflow pack: Question: what risk category would you add to this checklist for AI-generated patches?