ClawHub

Electron

v1.0.0

Build Electron desktop apps with secure architecture and common pitfall avoidance.

3· 1.2k·10 current·12 all-time
byIván@ivangdavila
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description match the content: SKILL.md contains Electron security and packaging guidance. Declared requirement (npm) is reasonable for Electron-related workflows. Minor note: it does not require an electron binary or other build tools (but npm is commonly used to install those).
Instruction Scope
Instructions are narrowly scoped to secure Electron architecture, IPC, preload rules, packaging pitfalls, and debugging tips. They do not ask the agent to read arbitrary files, access credentials, or send data to external endpoints.
Install Mechanism
No install spec and no code files are present (instruction-only). This minimizes disk writes and execution risk.
Credentials
No environment variables, credentials, or config paths are requested. The skill does not ask for unrelated secrets or permissions.
Persistence & Privilege
Skill is not marked always:true and does not request persistent or elevated privileges. Autonomous invocation is allowed (platform default) but appropriate here for an advice skill.
Assessment
This skill is a documentation-only guide (no code, no installs) and appears internally consistent with its stated purpose. It will not access secrets or modify system state. Before installing: (1) recognize it provides advice only — it won't build or run apps for you; (2) ensure you have npm on PATH if you expect to follow its guidance; (3) consider the lack of provenance (no homepage, unknown source/owner ID) — treat recommendations as guidance and cross-check against official Electron docs if you need authoritative or up-to-date instructions.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

Clawdis
OSLinux · macOS · Windows
Binsnpm
latestvk973xgzc4fna193vxxv8dhhjr180x8qv
1.2kdownloads
3stars
1versions
Updated 1mo ago
v1.0.0
MIT-0
Linux, macOS, Windows
Iván@ivangdavila
latest
Download

Security Non-Negotiables

  • nodeIntegration: false is mandatory — renderer with Node.js access means XSS = full system compromise
  • contextIsolation: true is mandatory — separates preload context from renderer
  • Whitelist IPC channels explicitly — never forward arbitrary channel names from renderer
  • Validate all IPC message content — renderer is untrusted, treat like external API input
  • Never use eval() or new Function() in renderer — defeats all security boundaries

Preload Script Rules

  • contextBridge.exposeInMainWorld() is the only safe bridge — raw ipcRenderer exposure is vulnerable
  • Clone data before passing across bridge — prevents prototype pollution attacks
  • Minimal API surface — expose specific functions, not generic send/receive

Architecture Traps

  • webPreferences locked after window creation — can't enable nodeIntegration later
  • Blocking main process freezes ALL windows — async everything, no sync file operations
  • Each BrowserWindow is separate renderer process — can't share JS variables directly
  • show: false then ready-to-show — prevents white flash, looks more native

Native Module Pain

  • Pre-built native modules won't work — must rebuild for Electron's specific Node version
  • electron-rebuild after every Electron upgrade — version mismatch = runtime crash
  • N-API modules more stable — survive Electron upgrades better than nan-based

Packaging Pitfalls

  • Dev dependencies included by default — production builds bloat without explicit exclusion
  • Code signing required for macOS auto-update — unsigned apps can't use Squirrel
  • Windows notifications require app.setAppUserModelId() — silent failure without it
  • ASAR isn't encryption — source readable with simple tools, don't rely on it for secrets

Platform-Specific Issues

  • CORS blocks file:// protocol — use custom protocol (app://) or local server
  • Windows needs NSIS or Squirrel for auto-update — installer format matters
  • macOS universal binary needs --universal flag — ships both Intel and ARM

Memory and Performance

  • Unclosed windows leak memory — call win.destroy() explicitly when done
  • Lazy load heavy modules — startup time directly affects perceived quality
  • backgroundThrottling: false if timers matter when minimized

Debugging

  • Main process: --inspect flag, connect via chrome://inspect
  • Renderer: webContents.openDevTools() or keyboard shortcut
  • electron-log for persistent logs — console.log vanishes on restart

Comments

Loading comments...