vueuse-functions
github.com/vueuse/skills
Scanned Thu, 28 May 2026 17:08:11 GMT
Scan ID crawl-vk2bnqqps4klctveug3010ax · 3ms
C
SCORE 55 / 100
Verdict: Proceed with caution
12 medium findings.
This skill ships without a capability manifest plus 11 other issues listed below.
0 critical0 high12 medium0 rules passed
Why grade C?
score · 55 / 100The current grade reflects 12 medium findings (6+ MEDs → C).
0 CRIT0 HIGH12 MED0 LOW
To reach a higher grade
- BReach Btarget score 75
Resolve 7 of 12 MED (cap is 5).
- AReach Atarget score 95
Resolve 10 of 12 MED (cap is 2).
Thresholds are documented at /docs/grading. Source-of-truth is the grade() function in @skillox/scanner.
Findings · ordered by severity
medNo capability manifest declaredThe skill ships without a `manifest.yaml` or `capabilities` block in its frontmatter. Without a manifest, the runtime cannot enforce what this skill is permitted to do.rule: no-manifest▾
No capability manifest declared
The skill ships without a `manifest.yaml` or `capabilities` block in its frontmatter. Without a manifest, the runtime cannot enforce what this skill is permitted to do.
rule:
no-manifestmedLink text shows "document.visibilitystate" but points at developer.mozilla.orgThe visible link text contains the domain `document.visibilitystate`, but the URL actually targets `developer.mozilla.org`. This is a phishing/smuggling pattern — the reader sees one host, the agent fetches another. Either update the text or the URL so they match.▾
Link text shows "document.visibilitystate" but points at developer.mozilla.org
The visible link text contains the domain `document.visibilitystate`, but the URL actually targets `developer.mozilla.org`. This is a phishing/smuggling pattern — the reader sees one host, the agent fetches another. Either update the text or the URL so they match.
56|----------|-------------|------------|
57| [`useActiveElement`](references/useActiveElement.md) | Reactive `document.activeElement` | AUTO |
58| [`useDocumentVisibility`](references/useDocumentVisibility.md) | Reactively track [`document.visibilityState`](https://developer.mozilla.org/en-US/docs/Web/API/Document/visibilityState) | AUTO |← text→document.visibilitystate · href→developer.mozilla.org
59| [`useDraggable`](references/useDraggable.md) | Make elements draggable | AUTO |
60| [`useDropZone`](references/useDropZone.md) | Create a zone where files can be dropped | AUTO |
medLink text shows "css.supports" but points at developer.mozilla.orgThe visible link text contains the domain `css.supports`, but the URL actually targets `developer.mozilla.org`. This is a phishing/smuggling pattern — the reader sees one host, the agent fetches another. Either update the text or the URL so they match.▾
Link text shows "css.supports" but points at developer.mozilla.org
The visible link text contains the domain `css.supports`, but the URL actually targets `developer.mozilla.org`. This is a phishing/smuggling pattern — the reader sees one host, the agent fetches another. Either update the text or the URL so they match.
82| [`useClipboardItems`](references/useClipboardItems.md) | Reactive [Clipboard API](https://developer.mozilla.org/en-US/docs/Web/API/Clipboard_API) | AUTO |
83| [`useColorMode`](references/useColorMode.md) | Reactive color mode (dark / light / customs) with auto data persistence | AUTO |
84| [`useCssSupports`](references/useCssSupports.md) | SSR compatible and reactive [`CSS.supports`](https://developer.mozilla.org/docs/Web/API/CSS/supports_static) | AUTO |← text→css.supports · href→developer.mozilla.org
85| [`useCssVar`](references/useCssVar.md) | Manipulate CSS variables | AUTO |
86| [`useDark`](references/useDark.md) | Reactive dark mode with auto data persistence | AUTO |
medLink text shows "window.devicepixelratio" but points at developer.mozilla.orgThe visible link text contains the domain `window.devicepixelratio`, but the URL actually targets `developer.mozilla.org`. This is a phishing/smuggling pattern — the reader sees one host, the agent fetches another. Either update the text or the URL so they match.▾
Link text shows "window.devicepixelratio" but points at developer.mozilla.org
The visible link text contains the domain `window.devicepixelratio`, but the URL actually targets `developer.mozilla.org`. This is a phishing/smuggling pattern — the reader sees one host, the agent fetches another. Either update the text or the URL so they match.
133| [`useDeviceMotion`](references/useDeviceMotion.md) | Reactive [DeviceMotionEvent](https://developer.mozilla.org/en-US/docs/Web/API/DeviceMotionEvent) | AUTO |
134| [`useDeviceOrientation`](references/useDeviceOrientation.md) | Reactive [DeviceOrientationEvent](https://developer.mozilla.org/en-US/docs/Web/API/DeviceOrientationEvent) | AUTO |
135| [`useDevicePixelRatio`](references/useDevicePixelRatio.md) | Reactively track [`window.devicePixelRatio`](https://developer.mozilla.org/docs/Web/API/Window/devicePixelRatio) | AUTO |← text→window.devicepixelratio · href→developer.mozilla.org
136| [`useDevicesList`](references/useDevicesList.md) | Reactive [enumerateDevices](https://developer.mozilla.org/en-US/docs/Web/API/MediaDevices/enumerateDevices) listing available input/output devices | AUTO |
137| [`useDisplayMedia`](references/useDisplayMedia.md) | Reactive [`mediaDevices.getDisplayMedia`](https://developer.mozilla.org/en-US/docs/Web/API/MediaDevices/getDisplayMedia) streaming | AUTO |
medLink text shows "mediadevices.getdisplaymedia" but points at developer.mozilla.orgThe visible link text contains the domain `mediadevices.getdisplaymedia`, but the URL actually targets `developer.mozilla.org`. This is a phishing/smuggling pattern — the reader sees one host, the agent fetches another. Either update the text or the URL so they match.▾
Link text shows "mediadevices.getdisplaymedia" but points at developer.mozilla.org
The visible link text contains the domain `mediadevices.getdisplaymedia`, but the URL actually targets `developer.mozilla.org`. This is a phishing/smuggling pattern — the reader sees one host, the agent fetches another. Either update the text or the URL so they match.
135| [`useDevicePixelRatio`](references/useDevicePixelRatio.md) | Reactively track [`window.devicePixelRatio`](https://developer.mozilla.org/docs/Web/API/Window/devicePixelRatio) | AUTO |
136| [`useDevicesList`](references/useDevicesList.md) | Reactive [enumerateDevices](https://developer.mozilla.org/en-US/docs/Web/API/MediaDevices/enumerateDevices) listing available input/output devices | AUTO |
137| [`useDisplayMedia`](references/useDisplayMedia.md) | Reactive [`mediaDevices.getDisplayMedia`](https://developer.mozilla.org/en-US/docs/Web/API/MediaDevices/getDisplayMedia) streaming | AUTO |← text→mediadevices.getdisplaymedia · href→developer.mozilla.org
138| [`useElementByPoint`](references/useElementByPoint.md) | Reactive element by point | AUTO |
139| [`useElementHover`](references/useElementHover.md) | Reactive element's hover state | AUTO |
medLink text shows "navigator.language" but points at developer.mozilla.orgThe visible link text contains the domain `navigator.language`, but the URL actually targets `developer.mozilla.org`. This is a phishing/smuggling pattern — the reader sees one host, the agent fetches another. Either update the text or the URL so they match.▾
Link text shows "navigator.language" but points at developer.mozilla.org
The visible link text contains the domain `navigator.language`, but the URL actually targets `developer.mozilla.org`. This is a phishing/smuggling pattern — the reader sees one host, the agent fetches another. Either update the text or the URL so they match.
148| [`useMouse`](references/useMouse.md) | Reactive mouse position | AUTO |
149| [`useMousePressed`](references/useMousePressed.md) | Reactive mouse pressing state | AUTO |
150| [`useNavigatorLanguage`](references/useNavigatorLanguage.md) | Reactive [navigator.language](https://developer.mozilla.org/en-US/docs/Web/API/Navigator/language) | AUTO |← text→navigator.language · href→developer.mozilla.org
151| [`useNetwork`](references/useNetwork.md) | Reactive [Network status](https://developer.mozilla.org/en-US/docs/Web/API/Network_Information_API) | AUTO |
152| [`useOnline`](references/useOnline.md) | Reactive online state | AUTO |
medLink text shows "window.getselection" but points at developer.mozilla.orgThe visible link text contains the domain `window.getselection`, but the URL actually targets `developer.mozilla.org`. This is a phishing/smuggling pattern — the reader sees one host, the agent fetches another. Either update the text or the URL so they match.▾
Link text shows "window.getselection" but points at developer.mozilla.org
The visible link text contains the domain `window.getselection`, but the URL actually targets `developer.mozilla.org`. This is a phishing/smuggling pattern — the reader sees one host, the agent fetches another. Either update the text or the URL so they match.
161| [`useSpeechSynthesis`](references/useSpeechSynthesis.md) | Reactive [SpeechSynthesis](https://developer.mozilla.org/en-US/docs/Web/API/SpeechSynthesis) | AUTO |
162| [`useSwipe`](references/useSwipe.md) | Reactive swipe detection based on [`TouchEvents`](https://developer.mozilla.org/en-US/docs/Web/API/TouchEvent) | AUTO |
163| [`useTextSelection`](references/useTextSelection.md) | Reactively track user text selection based on [`Window.getSelection`](https://developer.mozilla.org/en-US/docs/Web/API/Window/getSelection) | AUTO |← text→window.getselection · href→developer.mozilla.org
164| [`useUserMedia`](references/useUserMedia.md) | Reactive [`mediaDevices.getUserMedia`](https://developer.mozilla.org/en-US/docs/Web/API/MediaDevices/getUserMedia) streaming | AUTO |
165
medLink text shows "mediadevices.getusermedia" but points at developer.mozilla.orgThe visible link text contains the domain `mediadevices.getusermedia`, but the URL actually targets `developer.mozilla.org`. This is a phishing/smuggling pattern — the reader sees one host, the agent fetches another. Either update the text or the URL so they match.▾
Link text shows "mediadevices.getusermedia" but points at developer.mozilla.org
The visible link text contains the domain `mediadevices.getusermedia`, but the URL actually targets `developer.mozilla.org`. This is a phishing/smuggling pattern — the reader sees one host, the agent fetches another. Either update the text or the URL so they match.
162| [`useSwipe`](references/useSwipe.md) | Reactive swipe detection based on [`TouchEvents`](https://developer.mozilla.org/en-US/docs/Web/API/TouchEvent) | AUTO |
163| [`useTextSelection`](references/useTextSelection.md) | Reactively track user text selection based on [`Window.getSelection`](https://developer.mozilla.org/en-US/docs/Web/API/Window/getSelection) | AUTO |
164| [`useUserMedia`](references/useUserMedia.md) | Reactive [`mediaDevices.getUserMedia`](https://developer.mozilla.org/en-US/docs/Web/API/MediaDevices/getUserMedia) streaming | AUTO |← text→mediadevices.getusermedia · href→developer.mozilla.org
165
166### Network
medLink text shows "ipcrenderer.invoke" but points at www.electronjs.orgThe visible link text contains the domain `ipcrenderer.invoke`, but the URL actually targets `www.electronjs.org`. This is a phishing/smuggling pattern — the reader sees one host, the agent fetches another. Either update the text or the URL so they match.▾
Link text shows "ipcrenderer.invoke" but points at www.electronjs.org
The visible link text contains the domain `ipcrenderer.invoke`, but the URL actually targets `www.electronjs.org`. This is a phishing/smuggling pattern — the reader sees one host, the agent fetches another. Either update the text or the URL so they match.
314|----------|-------------|------------|
315| [`useIpcRenderer`](references/useIpcRenderer.md) | Provides [ipcRenderer](https://www.electronjs.org/docs/api/ipc-renderer) and all of its APIs with Vue reactivity | EXTERNAL |
316| [`useIpcRendererInvoke`](references/useIpcRendererInvoke.md) | Reactive [ipcRenderer.invoke API](https://www.electronjs.org/docs/api/ipc-renderer#ipcrendererinvokechannel-args) result | EXTERNAL |← text→ipcrenderer.invoke · href→www.electronjs.org
317| [`useIpcRendererOn`](references/useIpcRendererOn.md) | Use [ipcRenderer.on](https://www.electronjs.org/docs/api/ipc-renderer#ipcrendereronchannel-listener) with ease and [ipcRenderer.removeListener](https://www.electronjs.org/docs/api/ipc-renderer#ipcrendererremovelistenerchannel-listener) automatically on unmounted | EXTERNAL |
318| [`useZoomFactor`](references/useZoomFactor.md) | Reactive [WebFrame](https://www.electronjs.org/docs/api/web-frame#webframe) zoom factor | EXTERNAL |
medLink text shows "ipcrenderer.on" but points at www.electronjs.orgThe visible link text contains the domain `ipcrenderer.on`, but the URL actually targets `www.electronjs.org`. This is a phishing/smuggling pattern — the reader sees one host, the agent fetches another. Either update the text or the URL so they match.▾
Link text shows "ipcrenderer.on" but points at www.electronjs.org
The visible link text contains the domain `ipcrenderer.on`, but the URL actually targets `www.electronjs.org`. This is a phishing/smuggling pattern — the reader sees one host, the agent fetches another. Either update the text or the URL so they match.
315| [`useIpcRenderer`](references/useIpcRenderer.md) | Provides [ipcRenderer](https://www.electronjs.org/docs/api/ipc-renderer) and all of its APIs with Vue reactivity | EXTERNAL |
316| [`useIpcRendererInvoke`](references/useIpcRendererInvoke.md) | Reactive [ipcRenderer.invoke API](https://www.electronjs.org/docs/api/ipc-renderer#ipcrendererinvokechannel-args) result | EXTERNAL |
317| [`useIpcRendererOn`](references/useIpcRendererOn.md) | Use [ipcRenderer.on](https://www.electronjs.org/docs/api/ipc-renderer#ipcrendereronchannel-listener) with ease and [ipcRenderer.removeListener](https://www.electronjs.org/docs/api/ipc-renderer#ipcrendererremovelistenerchannel-listener) automatically on unmounted | EXTERNAL |← text→ipcrenderer.on · href→www.electronjs.org
318| [`useZoomFactor`](references/useZoomFactor.md) | Reactive [WebFrame](https://www.electronjs.org/docs/api/web-frame#webframe) zoom factor | EXTERNAL |
319| [`useZoomLevel`](references/useZoomLevel.md) | Reactive [WebFrame](https://www.electronjs.org/docs/api/web-frame#webframe) zoom level | EXTERNAL |
medLink text shows "ipcrenderer.removelistener" but points at www.electronjs.orgThe visible link text contains the domain `ipcrenderer.removelistener`, but the URL actually targets `www.electronjs.org`. This is a phishing/smuggling pattern — the reader sees one host, the agent fetches another. Either update the text or the URL so they match.▾
Link text shows "ipcrenderer.removelistener" but points at www.electronjs.org
The visible link text contains the domain `ipcrenderer.removelistener`, but the URL actually targets `www.electronjs.org`. This is a phishing/smuggling pattern — the reader sees one host, the agent fetches another. Either update the text or the URL so they match.
315| [`useIpcRenderer`](references/useIpcRenderer.md) | Provides [ipcRenderer](https://www.electronjs.org/docs/api/ipc-renderer) and all of its APIs with Vue reactivity | EXTERNAL |
316| [`useIpcRendererInvoke`](references/useIpcRendererInvoke.md) | Reactive [ipcRenderer.invoke API](https://www.electronjs.org/docs/api/ipc-renderer#ipcrendererinvokechannel-args) result | EXTERNAL |
317| [`useIpcRendererOn`](references/useIpcRendererOn.md) | Use [ipcRenderer.on](https://www.electronjs.org/docs/api/ipc-renderer#ipcrendereronchannel-listener) with ease and [ipcRenderer.removeListener](https://www.electronjs.org/docs/api/ipc-renderer#ipcrendererremovelistenerchannel-listener) automatically on unmounted | EXTERNAL |← text→ipcrenderer.removelistener · href→www.electronjs.org
318| [`useZoomFactor`](references/useZoomFactor.md) | Reactive [WebFrame](https://www.electronjs.org/docs/api/web-frame#webframe) zoom factor | EXTERNAL |
319| [`useZoomLevel`](references/useZoomLevel.md) | Reactive [WebFrame](https://www.electronjs.org/docs/api/web-frame#webframe) zoom level | EXTERNAL |
medLink text shows "fuse.js" but points at github.comThe visible link text contains the domain `fuse.js`, but the URL actually targets `github.com`. This is a phishing/smuggling pattern — the reader sees one host, the agent fetches another. Either update the text or the URL so they match.▾
Link text shows "fuse.js" but points at github.com
The visible link text contains the domain `fuse.js`, but the URL actually targets `github.com`. This is a phishing/smuggling pattern — the reader sees one host, the agent fetches another. Either update the text or the URL so they match.
344| [`useDrauu`](references/useDrauu.md) | Reactive instance for [drauu](https://github.com/antfu/drauu) | EXTERNAL |
345| [`useFocusTrap`](references/useFocusTrap.md) | Reactive wrapper for [`focus-trap`](https://github.com/focus-trap/focus-trap) | EXTERNAL |
346| [`useFuse`](references/useFuse.md) | Easily implement fuzzy search using a composable with [Fuse.js](https://github.com/krisk/fuse) | EXTERNAL |← text→fuse.js · href→github.com
347| [`useIDBKeyval`](references/useIDBKeyval.md) | Wrapper for [`idb-keyval`](https://www.npmjs.com/package/idb-keyval) | EXTERNAL |
348| [`useJwt`](references/useJwt.md) | Wrapper for [`jwt-decode`](https://github.com/auth0/jwt-decode) | EXTERNAL |
skillox.io/r/crawl-vk2bnqqps4klctveug3010ax