BETA Shoulder is in beta — Findings may sometimes be wrong. Your feedback shapes what we fix next. Share feedback
Shoulder.dev

Understand what every change actually did to your system.

See what your code actually does.

Test any public GitHub repo — an MCP server, an npm package, an AI skill. See auth coverage, risk paths, and dependency signals before you install or integrate.

Accepts GitHub URLs or owner/repo format. Works with any public repo.

See real results

Each demo is a real repo. Pick one, see what Shoulder catches.

shoulder diff JavaScript

SQL injection in one line

A dev replaces a parameterized query with string concatenation. Shoulder flags it instantly.
shoulder diff JavaScript

AI proxy with no guardrails

Hardcoded API key, user-controlled URL, no rate limiting — three findings from one shortcut.
shoulder scan JavaScript

Vulnerable API — full posture

SQLi, missing auth, no rate limiting, credential exposure. Everything wrong with this API in one scan.
shoulder scan --ecosystem JavaScript

Malicious dependency

Not a code bug — a supply chain attack. Shoulder catches what SAST tools miss.
Browse all 12 demo repos See the malware-demo package on npm

What you'll see

Trust profile

Auth coverage, public vs. protected routes, and where trust breaks down.

Attack paths

Confirmed paths from user input to dangerous execution — SQL, shell, eval, deserialization.

Ecosystem signals

Dependency risk, maintainer trust, and suspicious package patterns.

Want to scan your own projects? Install the CLI — it runs locally and your source code never leaves your machine.

npm install -g @shoulderdev/cli