B+89%
Quality Score
7
Pages
76
Issues
7.8
Avg Confidence
7.7
Avg Priority
25 Critical35 High15 Medium1 Low
>_ Testers.AI
AI Analysis
Github was tested and 76 issues were detected across the site. The most critical finding was: AI/LLM endpoint detected on page load (Performance/Privacy risk). Issues span Security, Performance, A11y, Other categories. Persona feedback rated Visual highest (9/10) and Accessibility lowest (6/10).
Qualitative Quality
Github
Category Avg
Best in Category
Pages Tested · 7 screenshots
Homepage
github.com.features.copilot
github.com.features.copilot
github.com.features.copilot
github.com.features.copilot
github.com.features.copilot
github.com.features.copilot
Detected Issues · 76 total
1
AI/LLM endpoint detected on page load (Performance/Privacy risk)
CRIT P9
Prompt to Fix
Identify any AI/LLM API calls that fire on page load. Move all such calls behind a user interaction or explicit consent, implement lazy-loading for AI features, and add a consent prompt. Add exponential backoff and error handling for 429/5xx responses, and ensure endpoints use secure HTTPS with proper authentication headers. Provide a patch that wraps AI calls in a lazy-loading utility and updates the UI to reflect pending AI data until user approves.
Why it's a bug
The console shows a warning: "⚠️ AI/LLM ENDPOINT DETECTED" and there are network calls suggesting LLM/AI endpoints may be invoked during initial page load. This can impact performance, increase payload, and raise privacy concerns by making AI prompts or data fetches before user consent or explicit interaction.
Why it might not be a bug
If AI features are core to the experience and properly consented, it might be acceptable. However, from the screenshot, there is clear evidence of an LLM endpoint being used on load, which is a high-risk pattern without evidence of user-initiated action.
Suggested Fix
Defers all AI/LLM API calls until user action or explicit consent. Implement lazy-loading or feature-flag controlled loading, add user consent UI, implement robust retry/backoff for 429/5xx, and ensure endpoints are protected with proper authentication and TLS. Audit payload size to avoid token bloat.
Why Fix
Improves page performance, reduces unnecessary data transfer, and aligns with privacy expectations by avoiding unsolicited AI data processing on initial paint.
Route To
Frontend/Performance Engineer + Security Engineer
Page
Tester
Jason · GenAI Code Analyzer
Technical Evidence
Console:
⚠️ AI/LLM ENDPOINT DETECTEDNetwork:
GET https://github.com/features/models - Status: 2002
Cross-site tracking risk from third-party asset loading (images.ctfassets.net)
HIGH P8
Prompt to Fix
Identify all third-party asset loads on the Spark page (e.g., images.ctfassets.net). For each third-party asset, determine if user consent is required. If consent is not present, implement gating: prevent loading the resource until the user opt-in is captured. Add a CSP that restricts image sources to self or approved domains, and set Referrer-Policy to no-referrer or strict-origin. If third-party assets must remain, serve them via a privacy-preserving proxy or ensure per-view consent is documented in the privacy notice. Provide a developer-friendly diff that updates the front-end to conditionally load these assets based on consent and updates CSP and header policies accordingly.
Why it's a bug
The page loads multiple resources from a third-party domain (images.ctfassets.net). These requests can reveal the user’s IP, user agent, and referer to a third party, enabling cross-site tracking without explicit user consent. This constitutes potential data sharing with a third party and widens the surface for privacy leakage.
Why it might not be a bug
Loading static assets from a CDN is common and often acceptable if privacy disclosures and consent mechanisms are in place. The provided logs do not show explicit PII in query strings or body data, and asset delivery is typical for modern sites. However, without consent indicators, this still represents a potential privacy risk that should be mitigated.
Suggested Fix
1) Audit and minimize third-party asset loading. Where possible, host assets on the same domain (or a privacy-preserving CDN) to reduce IP exposure. 2) Implement a consent gating for loading third-party assets (opt-in before fetching images from images.ctfassets.net). 3) Enforce a strict Content-Security-Policy (CSP) that limits img-src to self or approved domains and set appropriate Referrer-Policy. 4) Consider loading lightweight placeholders or inlined assets for critical visuals to avoid external fetches unless consent is given.
Why Fix
Reducing or gating third-party asset requests decreases exposure of user IP to external services and reduces cross-site tracking risk, improving user privacy and regulatory compliance while preserving user trust.
Route To
Privacy Engineer
Page
Tester
Pete · Privacy Networking Analyzer
Technical Evidence
Network:
GET https://images.ctfassets.net/8aevphvgewt8/1jwTWLD2LZwSC75CV6opvO/84b74fba48947786a36b2c165cdb98a5/spark-hero-bg.webp?fm=webp&q=903
Excessive number of network requests on login page
CRIT P9
Prompt to Fix
Identify all 216 requests on the login page. Remove or lazy-load non-critical assets; bundle and minify CSS/JS; move non-essential third-party scripts to async/defer; implement code-splitting and font loading strategies to minimize blocking requests.
Why it's a bug
Total network requests shown is 216 for the sign-in page, which can lead to higher latency, slower First Contentful Paint (FCP) and Time to Interactive (TTI), especially on slow/mobile networks. This pattern increases overhead and can degrade user experience during initial render.
Why it might not be a bug
Some assets may be required for proper rendering/branding; however, the volume suggests potential over-fetching or non-critical assets loaded upfront.
Suggested Fix
Audit critical vs. non-critical assets on the login page. Consolidate CSS/JS where possible, remove unused assets, and implement code-splitting. Move non-critical resources to load asynchronously or after initial render (defer/async). Consider preconnects to required origins and enabling HTTP/2 multiplexing benefits.
Why Fix
Reducing requests lowers total payload, improves LCP/TTI, and delivers a snappier login experience, improving user satisfaction and SEO signals tied to Core Web Vitals.
Route To
Frontend Performance Engineer
Page
Tester
Tariq · Performance Specialist
Technical Evidence
Network:
GET https://github.githubassets.com/assets/light-0c8222dcd7a4f9b7.css