www.costco.com

Report from 6/30/2026, 2:12:02 PM https://www.costco.com
45
Overall score
weighted CAV (0–100)
FAIL
0–4950–8990–100

Metrics

5%
CRR Content Recovery Poor
0.59
SSD Semantic Signal Density Needs work
1,057 tok
TC Token Cost Good
111 ms
TTFUT Time to First Useful Token N/A

Final screenshot

Final screenshot of https://www.costco.com

Diagnostics

high CRR Content is hidden behind JavaScript

95% of content requires JS · 5% of rendered content recovered (rest is placeholder/wrong)

Fix: Server-render or statically generate the main content so a non-JS agent still receives it; make client rendering a progressive enhancement, not the source of truth.

medium SSD Low signal-to-noise for agents

signal 0.19 · generic JSON-LD 1/1

Fix: Wrap the real content in <main>/<article>, cut repeated nav/boilerplate, and keep the primary content dense and early in the DOM.

Rendered profile: headless

Agent Discoverability 55/100 · Needs Work

Access & discovery checks — separate from the gated CAV metrics above. Click an issue for business impact, what we measured, and how to fix. · Take the Agent Readiness course →

Agent files & endpoints

llms.txt Absent at /llms.txt and /.well-known/llms.txt Learn →
robots.txt (AI bots) Major AI bots allowed Learn →
sitemap.xml Found at /sitemap_index.xml Learn →
JSON-LD structured data No JSON-LD found Learn →
~ agents.json Absent (emerging standard) Learn →
~ WebMCP endpoint Absent (emerging standard) Learn →
~ OpenAPI / API docs No OpenAPI/Swagger found Learn →

Issues (8)

No CAPTCHA wall high impact Detected: recaptcha

Business impact CAPTCHAs stop bots — including the AI agents your customers send to shop or book. Content behind a challenge is unreachable.

What we measured We fingerprint reCAPTCHA, hCaptcha and Cloudflare Turnstile in the page.

How to fix Reserve CAPTCHA for login/checkout flows, never public content pages.

Spec: https://developers.cloudflare.com/turnstile/

~ No content-blocking cookie wall medium impact Consent platform: onetrust (verify it doesn't block content)

Business impact A consent wall that hides content until a click is invisible to agents — they cannot click 'Accept'.

What we measured We fingerprint OneTrust, Cookiebot, Usercentrics and similar managers and flag content-blocking ones.

How to fix Use an overlay banner that leaves content in the DOM, not a blocking interstitial.

Spec: https://gdpr.eu/cookies/

llms.txt present high impact Absent at /llms.txt and /.well-known/llms.txt

Business impact llms.txt is the robots.txt for AI: it tells agents what your site is, what matters, and where to find it. Without it AI guesses — and guessing means inaccurate recommendations and lost visibility.

What we measured We fetch /llms.txt and /.well-known/llms.txt and validate the spec (H1 title + a one-line blockquote summary). We also note /llms-full.txt (your full content as Markdown).

How to fix Create /llms.txt with a short summary + key pages; optionally /llms-full.txt with full content in Markdown.

Learn how to implement →

# Your Site
> One-line description for AI agents.

## Key pages
- /products — catalog
- /pricing — plans
- /docs — documentation

Spec: https://llmstxt.org

~ No login wall on public content high impact Login signal: members only

Business impact Public content behind authentication is unreachable to agents (they have no account). Gate only genuinely private material.

What we measured We follow redirects and detect 401/403 and login-form signals on content pages.

How to fix Separate public marketing/docs from authenticated areas; keep public pages reachable without login.

Spec: https://llmstxt.org

Structured data (JSON-LD) medium impact No JSON-LD found

Business impact Schema.org JSON-LD tells agents what a page IS (product, article, business) with typed fields (price, rating, hours). Without it agents extract less reliably.

What we measured We parse <script type=application/ld+json>, validate it, and check for populated @type fields.

How to fix Add JSON-LD: Organization/LocalBusiness on the homepage, Product on product pages, Article on posts.

Learn how to implement →

<script type="application/ld+json">{"@context":"https://schema.org","@type":"Organization","name":"Your Co","url":"https://example.com"}</script>

Spec: https://schema.org/

~ agents.json discovery low impact Absent (emerging standard)

Business impact agents.json describes what your site can DO for agents (services, endpoints, capabilities) — an emerging discovery standard. Early adopters get native agent integration.

What we measured We check /agents.json and /.well-known/agents.json for a valid configuration.

How to fix Publish /agents.json describing your site's capabilities and actions.

Learn how to implement →

Spec: https://agents-json.org

~ WebMCP endpoint low impact Absent (emerging standard)

Business impact WebMCP lets agents call actions on your site directly (book, buy, query) instead of scraping the DOM. Early adopters get native AI-agent interoperability.

What we measured We check /.well-known/webmcp and /webmcp.json for a valid actions array.

How to fix Add a WebMCP endpoint exposing your key actions to agents.

Learn how to implement →

Spec: https://webmcp.org

~ API documentation low impact No OpenAPI/Swagger found

Business impact Programmatic agents prefer a typed API. An OpenAPI/Swagger spec lets them integrate without scraping.

What we measured We probe /openapi.json, /swagger.json, /api-docs and /.well-known/openapi.json.

How to fix Publish an OpenAPI spec at a well-known path.

Learn how to implement →

Spec: https://www.openapis.org/

Passed audits (4)

✓ robots.txt allows AI bots✓ Machine-readable prices✓ XML sitemap present + fresh✓ Server response (TTFB)
Full profile — how to improve · unused JS · network · timing

A deeper scan (a second render, ~30–60s): network waterfall, unused JavaScript, long tasks, and prioritized fixes. Runs only when you ask; the result is cached so it never re-runs.

Analyzing…
running mobile + desktop · ~30s