# Ryan Kowalczyk, Founder at Stackform.io — read of Shipcheck, May 6 2026

> "Former PM, two years into my first real solo SaaS. I write my own code now, mostly with Cursor. My daughter is 6. I build things during her swim lessons on Saturday morning."

## How I got here

Someone in the Indie Hackers Telegram I'm in dropped the link with a one-liner: "this found a verified Stripe webhook issue in my repo, go scan yours." That's a specific enough claim that I clicked. I wasn't searching for a security tool. I wasn't even thinking about security. I was thinking about whether the onboarding flow I shipped last week looks broken on Android. That detail matters because I came in warm but distracted.

## What I clicked first

The mock report card in the hero. Not the headline, not the CTA. The little UI artifact showing "Hardcoded API key in lib/db.ts · High" with a B- grade. That's the move. I've read a hundred SaaS hero sections that say "finally, a tool that catches what others miss." This one just shows you the output. I kept reading.

The line that actually stopped me was: "looking for the security holes, missing tests, abandoned auth flows, and embarrassing comments your AI coding tool shipped at 2am." That's accurate in a way that's almost annoying to read. I recognized myself in it.

## Where I paused

The sample report section. Specifically the finding: "Admin dashboard route has no auth / The /admin route renders without checking if the visitor is logged in or has admin role. Anyone who guesses the URL sees user list, revenue, and the delete-account button." I sat on that one for a while because I have an admin route and I genuinely could not remember if I gated it properly. That's the kind of specific, concrete fear the page is designed to activate, and it worked.

The "if the finding doesn't tell you exactly what to change, we mark it incomplete and don't charge you" line also stopped me. That's an unusually specific promise. Either it's real, or someone is going to write a very satisfying Hacker News post about the time it wasn't.

## What I distrusted

"4,200+ repos scanned." That number is sitting there with no date, no context, no rate. Is that since last week or since 2023? If it's real traction, show me the trajectory. If it's a vanity counter that's been sitting at 4,200 since November, that's a different thing entirely.

The testimonial from "Marcus T., shipped his first paid SaaS in March" is doing almost no work. No last name, no product name, no link. That quote reads like something you'd write as a placeholder and then forget to replace. The irony of a tool that flags "AI placeholder text in 3 routes" shipping a testimonial that feels like a placeholder is not lost on me.

Also: "a Claude-driven semantic pass." That's in the "how it works" section with no other explanation. So the audit is itself AI-generated. That's not automatically bad, but it's worth naming, and the page sort of buries it. I noticed it on the second read.

## What would convince me

One real founder, full name, real product I can visit, talking about a specific finding Shipcheck caught that would have genuinely hurt them. Not "best nine dollars I've spent." Something like: "It flagged that my /api/webhooks/stripe route had no signature verification. I fixed it in 20 minutes. Three days later someone actually tried to hit it." That kind of thing. The specificity of the sample report exists elsewhere on the page. The testimonial needs to match that energy.

A before/after on one real public repo would do it. Show me the report that came back, show me the commit that fixed it, show me the re-scan that cleared the findings. That's a 10-minute case study that would close me.

## What I'd ask in an email reply

1. The scan uses Claude for the semantic pass. What does that mean in practice for false positives? If I'm on a deadline the night before launch and I get 10 findings, how confident should I be that they're all real?

2. You say "public repos only at launch." My actual repo is private. I'm not going to open it up to test a $9 tool. When is the $49 plan with private repo support actually shipping, and is there a waitlist?

3. The "we keep the report for 90 days" line. Who can see my report? Is it accessible by URL alone or is there auth on it? Because a report that lists all the vulnerabilities in my app is almost as sensitive as the code itself.

## Verdict: curious-enough-to-reply

The page communicates the problem better than almost anything I've read in this category, and the $9 price removes basically all friction. The testimonial is weak and the "4,200 repos" claim needs a timestamp, but neither of those is a dealbreaker. I'd scan a throwaway repo tonight just to see if the output matches the sample.

---
*Memo by skeptic persona, generated 2026-05-06. Studio breaks own self-grading loop.*
