sloppoke mascot — pink pixel-art creature with a magnifying glass

SLOPPOKE

Sloppoke is a blazing fast slop detector for LLM-generated codebases that saves your git history from entropy.

Sub-10ms verdict per patch. Pre-commit gate that catches LLM residue — verbose, defensive, plausible but wrong — before it lands. Evolves with every diff you ship.

Linters check syntax. Sloppoke checks intent. Built for teams shipping with Cursor, Claude Code, Copilot. 

curl -fsSL sloppoke.me/install.sh | sh

One command, mac + linux, x86_64 + arm64. Then slop login & slop poke. brew & from source →

 

Score a public repo

Paste a github URL. Score over the last 100 commits, out of 100. Higher is cleaner.

Try:
/ 100
· commits · changed lines · hits

Top categories

    Worst files

      Poke maintainer on X

      The AI slop detector for teams shipping with LLMs

      Sloppoke is the slop detector + AI slop fix tool for the codebase your team ships with Cursor, Claude Code, or Copilot. Same engine catches LLM slop (the residue every assistant leaves around the working code) and patches it in the same commit.

      Three names, one tool: AI slop detector when you ask what it does, LLM slop tool when you list what's in your stack, AI code slop fix when you describe the cleanup. The pre-commit gate is the same either way.

      How it works

      diff scan verdict apply

      slop poke sends your staged diff, returns a verdict + a unified-diff patch. Sub-10ms. Safe deletes auto-applied; anything semantic gets a // TODO(slop) spliced — you decide.

      Adaptive. Every slop learn "…" tunes detection for your account. False positives quiet down, real misses get caught next time.

      Tiers

      Launch − 40%

      Starter

      $20 $12 / month
      • 100,000 pokes / month
      • All detectors + adaptive learning
      • One SSH key per sub
      • 30-day money-back guarantee · cancel anytime
      Get started →

      Install, run slop poke — first metered call returns a Stripe URL keyed to your SSH key. No signup.

      Enterprise

      Talk to us
      • Custom volume + team accounts
      • Private-corpus calibration
      • SLA, audit trail, SSO
      • On-prem or confidential-compute (TEE) deployment
      See ROI →

      Or email us.

      Install

      Homebrew (macOS + Linux)

      brew install peeramid-labs/tap/slop

      From source

      git clone https://github.com/peeramid-labs/sloppoke.git
cd sloppoke
cargo install --path crates/sloppoke-cli

      First run

      slop login                              # SSH-key handshake
slop poke                               # scan working tree
slop poke --gh org/repo --range X..Y    # scan any public repo
slop apply                              # apply + amend HEAD

      Stdout = patch, stderr = verdict — pipes to git apply --unidiff-zero or delta directly.

      Claude Code plugin — slash commands + skill bundled:

      /plugin marketplace add peeramid-labs/sloppoke
/plugin install sloppoke@peeramid-labs

      Adds /slop:poke, /slop:apply, /slop:learn. Skill ships inside.

      Just the skill (Cursor / Continue / any agent):

      mkdir -p ~/.claude/skills
curl -fsSL https://raw.githubusercontent.com/peeramid-labs/sloppoke/main/skills/slop.md \
  -o ~/.claude/skills/slop.md

      Privacy & data

      Servers in Germany, EU rules. We process diffs, return verdicts, persist only the learning signals — never raw source. Purge anytime via billing portal.

      Identity = SSH key fingerprint. No emails, no usernames, no trackers. Stripe handles billing in isolation.

      Security

      Both CLI and server in Rust — memory-safety CVEs don't exist by construction. Minimal deps: one binary, one HTTP client, one ssh-keygen sign.

      7-day release buffer on third-party crate upgrades — they bake, the Rust security advisory feed catches bad ones, then we ship. Stable over cutting edge.

      FAQ

      How do you characterize slop?#
      Slop is what writing-by-suggestion leaves behind in source. Three flavours, all easier to feel than to define: wordy nothing (comments that restate the next line, names that say less than nothing), defensive theatre (guards for impossible cases, empty catches, retries with no upstream), and unfinished work shipped (placeholder brackets, untested branches, stub markers, AI-authorship trailers committed instead of staying in the metadata).

      We don't publish the catalog — and it isn't static. Every slop learn "…" you submit calibrates the engine for your account; the set firing on your repo on day 30 isn't the set firing today.

      Why no GitHub app or PR bot?#
      By the time a PR bot fires, the slop already lives in your git history — comments, placeholder names, half-finished branches all baked into the commit you'll force-push to clean up. slop poke works the other end of the timeline: it runs against your staged diff before the commit lands. Same patch, one step earlier, no history to rewrite.

      CI is still covered. The same slop poke --range $BASE..$HEAD drops into any GitHub Actions / GitLab CI / Forgejo Actions / Jenkins pipeline as a one-liner gate, exits non-zero on SLOP, and posts the verdict to the job log. You get the belt-and- suspenders coverage of a PR bot without ceding a GitHub-App install scope on your repo.
      Why SSH keys instead of an email signup?#
      Your dev environment already trusts an SSH key — that's the one git uses to push. We reuse it as identity so there's nothing new to provision: no email to verify, no password to rotate, no OAuth scope to audit. Every request is signed with ssh-keygen -Y sign (the same primitive ssh-agent uses), so the server proves it's talking to your key without ever seeing the private half. Fingerprint = account. No emails on file means no breach target and no marketing list to leak. Bonus: the same key works in CI — drop it in a GitHub secret, done.
      What does slop actually see about my code?#
      The unified diff. Nothing else. The CLI shells out to git diff locally, captures the changed lines (plus the file paths in the diff header), and POSTs that patch text to the server. Files you didn't touch never leave your machine. We don't know which repository the diff came from — there's no origin URL, no remote name, no commit SHA pointing at your upstream. We don't clone anything, we don't list your branches, we don't have an OAuth token to your GitHub or GitLab. The server processes the patch in memory, returns a verdict + an apply-able patch, and persists only the learning signals tuned to your fingerprint. Yes — the patch itself contains the literal source lines you changed; if those lines are confidential, treat sending them the same way you'd treat pasting them into any code-review tool.
      What languages are supported?#
      Surface-level detection runs on every language. The deeper analysis layer — cross-file checks, branch-coverage inference, comment-vs-identifier reasoning — lights up first for Rust, TypeScript / JavaScript, Python, and Go. More languages come online over time and the server updates continuously, so you get the new coverage without re-installing the CLI.
      What if I disagree with a finding?#
      Run slop learn "false positive on … because …". That signal trains the engine for your account and project specifically — the same false positive quiets down on the next scan. We do not retain the raw text of your feedback beyond the learning step; only the calibration weights persist.
      Can sloppoke run inside a Trusted Execution Environment?#
      Yes, under an Enterprise engagement. The server binary runs inside an AMD SEV-SNP confidential VM — patch text is decrypted only inside the guest's encrypted memory, and we (the operator) cannot read your diffs even with root on the host. You verify the running binary via remote attestation before sending any data: the platform reports a cryptographically signed measurement of the guest image, your client checks it against the build hash we publish, and the session key is sealed to that measurement. Trust the math, not the operator. EU data residency by default; alternative TEE stacks (Intel TDX, AWS Nitro) on request. Pricing depends on volume — ping us.
      Can I run it on-prem or self-hosted?#
      The hosted server covers the Starter tier. On-prem is available under the Enterprise tier — private-corpus calibration, SSO, SLA, audit trail, and a server image you run inside your perimeter. Ping engineering@peeramid.xyz.
      Does the CLI work without the cloud API?#
      Today: no. The CLI is a thin client — it posts the diff over HTTPS and the catalog match runs server-side. Without the API there's no verdict. The algorithm is proprietary; on-prem and confidential-compute (TEE) deployments are available for Enterprise if you need to keep everything inside your perimeter.

      Data policy. Patches are retained 24 h for the learning loop, processed by our own model fleet (not third-party LLM APIs) in an async deliberation loop that does not affect slop poke latency. After 24 h only anonymized, generalized detection patterns survive — server-side, scoped to your account. EU residency by default; per-account purge on request.