3 medium findings.

This skill ships without a capability manifest plus 2 other issues listed below.

0 critical0 high3 medium9 rules passed

Why grade B?

score · 75 / 100

The current grade reflects 3 medium findings (3+ MEDs → B).

0 CRIT0 HIGH3 MED0 LOW

To reach a higher grade

A
Reach Atarget score 95
Resolve 1 of 3 MED (cap is 2).

Thresholds are documented at /docs/grading. Source-of-truth is the grade() function in @skillox/scanner.

Findings · ordered by severity

med

No capability manifest declared

The skill ships without a `manifest.yaml` or `capabilities` block in its frontmatter. Without a manifest, the runtime cannot enforce what this skill is permitted to do.

rule: no-manifest

▾

med

Link text shows "builder.io" but points at github.com

The visible link text contains the domain `builder.io`, but the URL actually targets `github.com`. This is a phishing/smuggling pattern — the reader sees one host, the agent fetches another. Either update the text or the URL so they match.

rule: anchor-href-mismatchline: 205CWE-601

▾

203To optimize third-parties, development teams should understand the nuances of resource hints, lazy loading, HTTP caching, and service workers and then implement these in their solutions. Some frameworks and libraries have encapsulated these best practices in a way that developers can easily use.

204

205[Partytown created by Builder.io](https://github.com/BuilderIO/partytown) is an experimental library that helps run resource-intensive scripts on a [web worker](https://developer.mozilla.org/en-US/docs/Web/API/Web_Workers_API) instead of the main thread. Their philosophy is that the main thread should be dedicated to your code, and any scripts that are not required by the critical path can be sandboxed and isolated to a web worker. Partytown allows you to configure access to the main thread APIs such as cookies, localStorage, userAgent, etc. API calls may also be logged with arguments to get a better insight into what the scripts do.← text→builder.io · href→github.com

206

207JavaScript proxies and a service worker handle communication between the web worker and the main thread. Partytown scripts must be self-hosted on the same server as the HTML documents. It may be used with React or Next.js apps or even without any framework. Each third-party script that can execute in a web server should set the type attribute of its opening script tag to text/partytown as follows.

med

Link text shows "next.js" but points at nextjs.org

The visible link text contains the domain `next.js`, but the URL actually targets `nextjs.org`. This is a phishing/smuggling pattern — the reader sees one host, the agent fetches another. Either update the text or the URL so they match.

rule: anchor-href-mismatchline: 261CWE-601

▾

259### Next.js `Script` component

260

261Next.js 11 was released in mid-2021 with components based on the [Conformance](https://web.dev/conformance/) methodology introduced by Google's Aurora team. The [Next.js Script component](https://nextjs.org/docs/basic-features/script) uses conformance by providing a customizable template that improves loading performance. The Script component encapsulates the `<script>` tag and allows you to set the loading priority for third-party scripts using the strategy attribute. The strategy attribute can take three values:← text→next.js · href→nextjs.org

262

2631. **beforeInteractive**: Use this for critical scripts that the browser should execute before the page becomes interactive. (e.g., bot detection)

Scan another →Share

skillox.io/r/crawl-h33ul5ugzcse6o0wh4rex3xv