upliftdesk.com
Audited 4 days ago· bigcommerce
Agent-readiness across all five AI commerce surfaces.
Surfaces — click to filter
12 failing · 12 not checked · 24 shown
12 checks couldn't run on this store — each is listed below with the reason. Your score reflects only what we could verify.
Populate gtin on every branded Product node
Why this matters: GTINs let agents match your product to the same item elsewhere; without them you lose cross-catalog matching.
Findings (11)
Checked 20 sampled product pages for a GTIN in the Product JSON-LD (0 carry a valid GTIN, 0%).
How: Extract gtin / gtin8 / gtin12 / gtin13 / gtin14 from the first Product JSON-LD node on each PDP; validate digit length.
Coverage
0/20 · 0%
- No valid GTIN on this product pageHIGH× 10
Populate gtin/gtin8/gtin12/gtin13/gtin14 with the manufacturer's barcode.
Affected (10)
- /reclaimed-wood-standing-desk
- /uplift-v2-l-shaped-special-order-laminate-stan…
- /4-port-usb-3-0-hub-by-uplift-desk
- /2-leg-standing-desk-frame
- /notebook-and-tablet-stand-by-uplift-desk
- /half-circle-desk-drawer-by-uplift-desk
- /corner-sleeve-by-uplift-desk
- /cpu-holder-by-uplift-desk
- /track-spacer
- /under-desk-accessory-hooks-by-uplift-desk
…and 1 more
Publish /.well-known/ucp with at minimum a version field
Why this matters: Without `/.well-known/ucp`, Google's AI Mode can't identify your storefront as a UCP-conformant merchant.
Findings (1)
Inspected /.well-known/ucp for a parseable JSON document with a top-level version string.
How: Confirm ctx.wellKnownUcp is non-null and carries a non-empty version string (the only universally-required UCP profile field).
- /.well-known/ucp is not reachable or not parseable as JSONHIGH
Serve a JSON document at /.well-known/ucp with a top-level
versionstring (e.g., "2026-04-08").
Add every required top-level key to the UCP profile
Why this matters: A profile missing one of the four required keys is treated as non-conformant — agent runtimes fall back to default behaviour and may skip the merchant.
Findings (1)
Wanted to inspect UCP root keys, but no profile was found.
How: Read the profile root (or top-level ucp wrapper) and verify the presence of version, services, capabilities, and signing_keys keys.
- No /.well-known/ucp profile presentHIGH
Publish /.well-known/ucp first (see ucp-profile-present).
Declare a shopping service entry with a recognised transport and an HTTPS endpoint
Why this matters: Without a valid shopping service entry, agents can recognise you as a UCP merchant but have no way to fetch your catalog.
Findings (1)
Wanted to walk the UCP profile's services[] for a valid shopping entry, but no profile was found.
How: List every services[] entry whose namespace is shopping (or contains shopping) and require at least one with transport ∈ {rest,mcp,a2a,embedded} AND a syntactically valid https:// endpoint.
- No /.well-known/ucp profile presentHIGH
Publish /.well-known/ucp first (see ucp-profile-present), then declare the shopping service.
Make every signing_keys[] entry a JWK with kty + kty-specific params
Why this matters: Malformed JWK entries are rejected silently by agents — signed payloads cannot be verified and the merchant loses trust signal.
Findings (1)
Wanted to validate signing_keys[], but no UCP profile was found.
How: Walk signing_keys[] and validate each entry per RFC 7517 §4.1 (kty required) + RFC 7518 §6 (kty-specific required parameters). kid is OPTIONAL per RFC 7517 §4.5 and not enforced here.
- No /.well-known/ucp profile presentHIGH
Publish a product feed or a crawlable product sitemap
Why this matters: Agents build their catalog from a feed or by crawling product pages; if neither yields products, your store is invisible.
Findings (1)
Confirmed your products are discoverable by crawling product pages and reading their structured data. Verified 20 product pages of 40 sampled, but no declared feed.
How: Read the product-discovery cascade result from ctx.discovery. Score by discovery method (feed / platform_api / sitemap_typed → pass when verifiedProductCount ≥ MIN_CONFIDENT_PRODUCTS; content_verified → partial; none or under-threshold → fail).
- Products are crawlable, but no declared product feedHIGH
/method=content_verified, verified=20
Publish a Google Merchant XML or ACP product feed at a stable URL and declare it in /.well-known/ucp and /llms.txt; crawl-only discovery is fragile.
Skipped — No UCP profile present; Cache-Control policy is not evaluable.
Context: If your UCP profile says `no-cache`, agent runtimes re-fetch on every interaction — brittle at scale and prone to rate-limit failures.
Why this was skipped
No UCP profile present; Cache-Control policy is not evaluable.
How: Parse the Cache-Control header on the /.well-known/ucp response; require public, max-age ≥ 60, and no no-store/no-cache/private.
Skipped — No UCP profile present; Content-Type is not evaluable.
Context: Agent runtimes that gate parsing on Content-Type will skip your profile if it's served as HTML or plain text.
Why this was skipped
No UCP profile present; Content-Type is not evaluable.
How: Check that the Content-Type header on /.well-known/ucp starts with application/json (optionally with a charset parameter).
Skipped — No UCP profile reachable; public-fetch evaluation deferred to ucp-profile-present.
Context: Agents fetch `/.well-known/ucp` without credentials — a 401 or 403 means they never see the profile.
Why this was skipped
No UCP profile reachable; public-fetch evaluation deferred to ucp-profile-present.
How: Confirm an unauthenticated GET to /.well-known/ucp returns a 2xx status.
Skipped — No UCP profile present; redirect behaviour is not evaluable.
Context: Lightweight agent clients fetch `/.well-known/ucp` without following redirects — a 301/302 means they never see your profile.
Why this was skipped
No UCP profile present; redirect behaviour is not evaluable.
How: Inspect the final HTTP status of GET /.well-known/ucp and whether any 3xx redirect was followed to reach it.
Skipped — No UCP profile present.
Context: A service declared with the right transport but missing endpoint/schema is unreachable — agents can't negotiate or connect.
Why this was skipped
No UCP profile present.
How: For each services[] entry with a recognised transport, require the transport-conditional fields: rest/mcp → endpoint+schema; a2a → endpoint; embedded → schema.
Skipped — No UCP profile present.
Context: An unrecognised transport leaves agents with no handler to dispatch — your service appears absent.
Why this was skipped
No UCP profile present.
How: For each services[] entry, require transport to be one of: rest, mcp, a2a, embedded.
Add includeSubDomains to your Strict-Transport-Security header
Why this matters: Without includeSubDomains, an HTTP subdomain (staging, mail, …) can be used to attack the apex's cookies.
Findings (1)
Inspected the homepage Strict-Transport-Security header ("max-age=63072000") and the includeSubDomains directive is absent.
How: Parse the homepage Strict-Transport-Security header for the includeSubDomains directive (RFC 6797 §6.1.2).
- HSTS header is missing the includeSubDomains directiveMEDIUM
What we found
max-age=63072000What we expected
Strict-Transport-Security: max-age=31536000; includeSubDomainsAppend
; includeSubDomainsto your STS header once every subdomain you operate supports HTTPS.
Add an Organization (or OnlineStore) JSON-LD block to your homepage with a contactPoint
Why this matters: Organization markup with a contactPoint tells AI agents who you are and how a shopper can reach you for support.
Findings (1)
Parsed the homepage JSON-LD looking for an Organization/OnlineStore node with a contactPoint, but no Organization-class node is present.
How: Parse homepage <script type="application/ld+json"> blocks, flatten @graph, and look for an Organization/OnlineStore/Store node with a contactPoint carrying email or telephone.
- No Organization/OnlineStore JSON-LD on homepageMEDIUM
What we expected
<script type="application/ld+json">{"@context":"https://schema.org","@type":"OnlineStore","name":"Example Store","url":"https://example.com","contactPoint":[{"@type":"ContactPoint","contactType":"customer service","email":"support@example.com"}]}</script>Add an Organization (or OnlineStore) JSON-LD block in the homepage
<head>with a contactPoint.
Keep every sitemap entry on the sitemap's own host
Why this matters: Cross-host sitemap entries are silently dropped, so the off-host product URLs effectively don't exist for the crawler.
Findings (5)
Compared 1720 <loc> entries against their sitemap host across 2 resource(s); 860 cross-host entries found.
How: For each resolved sitemap resource, parse the sitemap URL's host and compare it against every parsed <loc> URL's host.
- Cross-host <loc> — sitemap host is upliftdesk.com but entry is on www.upliftdesk.comMEDIUM
/sitemap.xmlsitemap host: upliftdesk.com; entry host: www.upliftdesk.com
What we found
https://www.upliftdesk.com/Remove the cross-host entry from this sitemap, or publish a separate sitemap on that host.
- Cross-host <loc> — sitemap host is upliftdesk.com but entry is on www.upliftdesk.comMEDIUM
/sitemap.xmlsitemap host: upliftdesk.com; entry host: www.upliftdesk.com
What we found
https://www.upliftdesk.com/reclaimed-wood-standing-desk/Remove the cross-host entry from this sitemap, or publish a separate sitemap on that host.
- Cross-host <loc> — sitemap host is upliftdesk.com but entry is on www.upliftdesk.comMEDIUM
/sitemap.xmlsitemap host: upliftdesk.com; entry host: www.upliftdesk.com
What we found
https://www.upliftdesk.com/uplift-v2-l-shaped-special-order-laminate-standing-desk/Remove the cross-host entry from this sitemap, or publish a separate sitemap on that host.
- Cross-host <loc> — sitemap host is upliftdesk.com but entry is on www.upliftdesk.comMEDIUM
/sitemap.xmlsitemap host: upliftdesk.com; entry host: www.upliftdesk.com
What we found
https://www.upliftdesk.com/4-port-usb-3-0-hub-by-uplift-desk/Remove the cross-host entry from this sitemap, or publish a separate sitemap on that host.
- Cross-host <loc> — sitemap host is upliftdesk.com but entry is on www.upliftdesk.comMEDIUM
/sitemap.xmlsitemap host: upliftdesk.com; entry host: www.upliftdesk.com
What we found
https://www.upliftdesk.com/2-leg-standing-desk-frame/Remove the cross-host entry from this sitemap, or publish a separate sitemap on that host.
Skipped — No MerchantReturnPolicy node carried a `merchantReturnLink` URL, so reachability has nothing to evaluate.
Context: A broken return-link makes Option B policies invisible — agents can't render or follow the link.
Why this was skipped
No MerchantReturnPolicy node carried a merchantReturnLink URL, so reachability has nothing to evaluate.
How: Collect every unique merchantReturnLink URL across all MerchantReturnPolicy nodes; probe each once via politeFetch (failSoft). 2xx counts as reachable.
Skipped — No UCP profile present.
Context: Capabilities missing version/spec/schema can't be matched against agent support tables — agents skip them silently.
Why this was skipped
No UCP profile present.
How: For each capabilities[] entry, require non-empty string values for version, spec, and schema.
Skipped — No UCP profile present.
Context: A spec URL on an unrelated authority signals the service was copy-pasted from stale documentation — agents can't trust the conformance claim.
Why this was skipped
No UCP profile present.
How: For each service with a spec URL, require the URL origin to be a canonical UCP authority OR the host/path to include the namespace token.
Skipped — No UCP profile present; service version formats are not evaluable.
Context: Free-form version labels like `1.0` or `latest` defeat the version-pinning agents rely on, leaving them unable to negotiate the correct spec generation.
Why this was skipped
No UCP profile present; service version formats are not evaluable.
How: For each services[] entry, require version to be a string matching /^\d{4}-\d{2}-\d{2}$/.
Add preload to your Strict-Transport-Security header and submit to hstspreload.org
Why this matters: HSTS preload-list inclusion is the strongest downgrade protection available — first-time visits are protected too.
Findings (1)
Inspected the homepage Strict-Transport-Security header ("max-age=63072000") and the preload directive is absent.
How: Parse the homepage Strict-Transport-Security header for the preload directive (hstspreload.org vendor extension to RFC 6797).
- HSTS header is missing the preload directiveLOW
What we found
max-age=63072000What we expected
Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadAppend
; preloadafterincludeSubDomainsand submit your domain at https://hstspreload.org/.
Skipped — No UCP profile found; MCP transport validity is not evaluable.
Context: If you advertise MCP transport, agents will try to connect — broken or non-HTTPS endpoints fail silently and lose the integration.
Why this was skipped
No UCP profile found; MCP transport validity is not evaluable.
How: Filter services[] to entries where transport=mcp and validate that endpoint is an absolute https:// URL.
Enable Apple Pay through your payment processor (informational only)
Why this matters: Apple Pay is a checkout-quality signal for human shoppers — informational only, does not affect the agent-readiness score.
Findings (1)
Scanned the homepage and 20 sampled PDPs for Apple Pay markers; none matched.
How: Substring match on known Apple Pay SDK/markup signatures (ApplePaySession, apple-pay-button, /apple-developer-merchantid-domain-association) across the homepage and every sampled PDP HTML.
- No Apple Pay markers detected on the homepage or PDPsINFO
Enable Apple Pay in your payment processor's dashboard (Stripe / Adyen / Braintree). Informational only — does not affect the score.
Enable Google Pay through your payment processor (informational only)
Why this matters: Google Pay is a checkout-quality signal for human shoppers — informational only, does not affect the agent-readiness score.
Findings (1)
Scanned the homepage and 20 sampled PDPs for Google Pay markers; none matched.
How: Substring match on known Google Pay SDK/markup signatures (pay.google.com/gp/p/js/pay.js, google.payments.api, <google-pay-button) across the homepage and every sampled PDP HTML.
- No Google Pay markers detected on the homepage or PDPsINFO
Enable Google Pay in your payment processor's dashboard (Stripe / Adyen / Braintree). Informational only — does not affect the score.
Skipped — Looked for /llms.txt at the site root; the fetcher returned no file.
Context: An /llms.txt manifest points agents at your feed and key pages without them having to guess.
Why this was skipped
Looked for /llms.txt at the site root; the fetcher returned no file.
How: Check whether the fetcher reached an /llms.txt at the site root. Informational only — no failure path per llmstxt.org being a voluntary community convention.