third-party

github.com/patternsdev/skills
Verdict: Generally safe
0 critical0 high3 medium
B
SCORE 75 / 100
$skillox install third-partySoon
Sign in to followFollowing emails you when a re-scan drops the grade. Opt-out is per-creator on /account/billing.

Why grade B?

score · 75 / 100

The current grade reflects 3 medium findings (3+ MEDs → B).

0 CRIT0 HIGH3 MED0 LOW
To reach a higher grade
  • A
    Reach Atarget score 95

    Resolve 1 of 3 MED (cap is 2).

Thresholds are documented at /docs/grading. Source-of-truth is the grade() function in @skillox/scanner.

Latest scan findings

Scan crawl-h33ul5ugzcse6o0wh4rex3xv · Thu, 28 May 2026 17:37:52 GMT · 3ms

med
No capability manifest declared
The skill ships without a `manifest.yaml` or `capabilities` block in its frontmatter. Without a manifest, the runtime cannot enforce what this skill is permitted to do.
rule: no-manifest
med
Link text shows "builder.io" but points at github.com
The visible link text contains the domain `builder.io`, but the URL actually targets `github.com`. This is a phishing/smuggling pattern — the reader sees one host, the agent fetches another. Either update the text or the URL so they match.
rule: anchor-href-mismatchline: 205CWE-601
203To optimize third-parties, development teams should understand the nuances of resource hints, lazy loading, HTTP caching, and service workers and then implement these in their solutions. Some frameworks and libraries have encapsulated these best practices in a way that developers can easily use.
204
205[Partytown created by Builder.io](https://github.com/BuilderIO/partytown) is an experimental library that helps run resource-intensive scripts on a [web worker](https://developer.mozilla.org/en-US/docs/Web/API/Web_Workers_API) instead of the main thread. Their philosophy is that the main thread should be dedicated to your code, and any scripts that are not required by the critical path can be sandboxed and isolated to a web worker. Partytown allows you to configure access to the main thread APIs such as cookies, localStorage, userAgent, etc. API calls may also be logged with arguments to get a better insight into what the scripts do.text→builder.io · href→github.com
206
207JavaScript proxies and a service worker handle communication between the web worker and the main thread. Partytown scripts must be self-hosted on the same server as the HTML documents. It may be used with React or Next.js apps or even without any framework. Each third-party script that can execute in a web server should set the type attribute of its opening script tag to text/partytown as follows.
med
Link text shows "next.js" but points at nextjs.org
The visible link text contains the domain `next.js`, but the URL actually targets `nextjs.org`. This is a phishing/smuggling pattern — the reader sees one host, the agent fetches another. Either update the text or the URL so they match.
rule: anchor-href-mismatchline: 261CWE-601
259### Next.js `Script` component
260
261Next.js 11 was released in mid-2021 with components based on the [Conformance](https://web.dev/conformance/) methodology introduced by Google's Aurora team. The [Next.js Script component](https://nextjs.org/docs/basic-features/script) uses conformance by providing a customizable template that improves loading performance. The Script component encapsulates the `<script>` tag and allows you to set the loading priority for third-party scripts using the strategy attribute. The strategy attribute can take three values:text→next.js · href→nextjs.org
262
2631. **beforeInteractive**: Use this for critical scripts that the browser should execute before the page becomes interactive. (e.g., bot detection)
View latest scan →
skillox.io/c/third-party