# Jordan Reyes, Indie Developer (ex-Senior Engineer, Plaid) — read of Shipcheck, May 23 2026

> Nine years in fintech infra, two years shipping solo. Currently building my third app. Four-year-old daughter, which means I write almost all my serious code between 9pm and 1am when the house is quiet.

## How I got here

Someone in the Indie Hackers Discord dropped this link with no context, just the URL. I was annoyed enough at my own situation to click it: I'd just finished wiring Stripe into my current project and was having the specific fear that I'd left something stupid in the webhook handler. That's a very particular kind of Sunday-night paranoia and this page knew about it.

## What I clicked first

"Get back the ten things that will sink your launch." That framing is good. Not "comprehensive audit," not "enterprise-grade security," just ten things. That's honest about scope in a way most tools refuse to be. The hero copy also has this line: "Shipcheck reads your public GitHub repo the way a senior engineer would" and that made me stop. I've seen this claim on four different AI tools in the last year. But then the sample report actually shows what that means: `app/api/webhooks/stripe/route.ts · line 18`. A real file, a real line. That's when I kept reading.

## Where I paused

The sample report section. The four findings they show are the right four findings. Unverified Stripe webhooks, admin route with no auth, password reset tokens that never expire, TODO copy left in production. Those are not hypotheticals. I have personally shipped two of those four things. The description of the Stripe issue -- "Anyone on the internet can hit it and mark an order as paid" -- is plain enough that I felt it in my chest a little. That's the moment the page earned some credibility.

## What I distrusted

Three things, in order of how much they bothered me.

First: "Public GitHub repos only for now." My real projects with real secrets are not public. The repos I'm most worried about are private. I get that OAuth complicates things and storage raises questions, but this is a fundamental limitation that the page buries in the "How it works" section, step one, after you've already mentally committed. If I'm scanning a public repo, odds are decent I already know it's relatively clean, or at minimum that no secrets are actually in the repo since public repos get scraped constantly and you learn fast.

Second: The testimonial. "Marcus T., shipped his first paid SaaS in March." No last name, no product name, no link. This could be real. It could be the founder's friend. It could be a GPT-4 output. The page is positioned as an antidote to AI slop and then the social proof is the least verifiable thing on the internet.

Third: "Claude-driven semantic pass." I don't have a problem with using Claude. I use Claude. But the page is silent on what happens with my code after the scan. "We don't store your code" is in the how-it-works section but it's one clause. If Claude is reading my repo, Anthropic's data practices apply in some form. A one-sentence privacy note for a security product is not enough.

## What would convince me

Private repo support, even if it's a higher tier or a different auth model. OAuth with read-only scope and an explicit deletion policy would get me. Or a self-hosted option even if it's $20/mo more. The public-only limitation isn't just a feature gap, it limits the use case to toy projects that don't really need this.

On the testimonials: a real product name and a link to it. I'd love to be able to see "Marcus T. shipped X, here's the launch tweet, here's the Shipcheck report he ran." That's a story. One paragraph and a first-name-last-initial is not.

## What I'd ask in an email reply

1. The page says "we read the public tree" and "we don't store your code" but what specifically is sent to Claude? Is the full file content passed or just the relevant snippets? And does the Claude API session get stored in Anthropic's systems at all?

2. Is private repo support on the roadmap and what would that actually look like? Read-only GitHub App install, short-lived token, something else?

3. The "If the finding doesn't tell you exactly what to change, we mark it incomplete and don't charge you" line is the strongest promise on the page. How often does that actually happen in practice? What percentage of scans trigger a partial or no-charge outcome?

## Verdict: curious-enough-to-reply

The problem description is genuinely good and the sample report shows real specificity instead of vibes. I'd send the three questions above and see if the founder sounds like someone who has actually shipped a product with these constraints or someone who wrote a landing page about it.

---
*Memo by skeptic persona, generated 2026-05-23. Studio breaks own self-grading loop.*
