electron-ipc-security-audit
Analyze Electron IPC implementations for security vulnerabilities including contextIsolation, nodeIntegration, preload scripts, and channel validation
Best use case
electron-ipc-security-audit is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Analyze Electron IPC implementations for security vulnerabilities including contextIsolation, nodeIntegration, preload scripts, and channel validation
Teams using electron-ipc-security-audit should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/electron-ipc-security-audit/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How electron-ipc-security-audit Compares
| Feature / Agent | electron-ipc-security-audit | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Analyze Electron IPC implementations for security vulnerabilities including contextIsolation, nodeIntegration, preload scripts, and channel validation
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# electron-ipc-security-audit
Analyze Electron IPC implementations for security vulnerabilities. This skill performs comprehensive security audits of inter-process communication patterns, checking for contextIsolation issues, nodeIntegration risks, preload script security, and IPC channel validation.
## Capabilities
- Audit IPC channel implementations for security vulnerabilities
- Check contextIsolation and nodeIntegration configuration
- Analyze preload scripts for unsafe patterns
- Validate IPC message handling and sanitization
- Detect prototype pollution risks
- Check for remote code execution vulnerabilities
- Review Content Security Policy headers
- Identify exposed APIs through contextBridge
## Input Schema
```json
{
"type": "object",
"properties": {
"projectPath": {
"type": "string",
"description": "Path to the Electron project root"
},
"auditScope": {
"type": "array",
"items": {
"enum": ["ipc-channels", "preload-scripts", "main-process", "renderer-security", "csp", "all"]
},
"default": ["all"]
},
"severity": {
"enum": ["all", "critical", "high", "medium"],
"default": "all",
"description": "Minimum severity level to report"
},
"includeRecommendations": {
"type": "boolean",
"default": true
}
},
"required": ["projectPath"]
}
```
## Output Schema
```json
{
"type": "object",
"properties": {
"success": { "type": "boolean" },
"summary": {
"type": "object",
"properties": {
"totalIssues": { "type": "number" },
"critical": { "type": "number" },
"high": { "type": "number" },
"medium": { "type": "number" },
"low": { "type": "number" }
}
},
"findings": {
"type": "array",
"items": {
"type": "object",
"properties": {
"id": { "type": "string" },
"severity": { "enum": ["critical", "high", "medium", "low"] },
"category": { "type": "string" },
"title": { "type": "string" },
"description": { "type": "string" },
"file": { "type": "string" },
"line": { "type": "number" },
"recommendation": { "type": "string" },
"codeExample": { "type": "string" }
}
}
},
"securityScore": {
"type": "number",
"description": "Security score 0-100"
}
},
"required": ["success", "findings"]
}
```
## Security Checks
### Critical Checks
1. **nodeIntegration enabled**: Check for `nodeIntegration: true` in BrowserWindow
2. **contextIsolation disabled**: Check for `contextIsolation: false`
3. **sandbox disabled**: Check for `sandbox: false`
4. **Direct ipcRenderer exposure**: Check for exposing ipcRenderer without contextBridge
5. **Remote module usage**: Check for deprecated remote module
6. **eval/Function execution**: Check for dynamic code execution in IPC handlers
### High Severity Checks
1. **Unrestricted IPC channels**: Check for `ipcMain.on('*')` patterns
2. **Missing input validation**: Check for unsanitized IPC arguments
3. **webSecurity disabled**: Check for `webSecurity: false`
4. **Unsafe protocol registration**: Check for custom protocol handlers
5. **Missing CSP headers**: Check for Content Security Policy
### Medium Severity Checks
1. **Overly permissive file access**: Check for broad file system access
2. **Insecure web preferences**: Check deprecated options
3. **Missing channel whitelisting**: Check preload script exposure
4. **Navigation to untrusted URLs**: Check navigation handlers
## Usage Instructions
1. **Scan project structure**: Identify main process, preload, and renderer files
2. **Check BrowserWindow configurations**: Audit webPreferences settings
3. **Analyze IPC implementations**: Review ipcMain/ipcRenderer usage
4. **Review preload scripts**: Check contextBridge API exposure
5. **Validate CSP headers**: Ensure proper Content Security Policy
6. **Generate report**: Compile findings with severity and recommendations
## Vulnerability Patterns
### Critical: Direct ipcRenderer Exposure
```javascript
// BAD: Exposing ipcRenderer directly
contextBridge.exposeInMainWorld('electron', {
ipcRenderer: ipcRenderer // CRITICAL VULNERABILITY
});
// GOOD: Expose only specific channels
contextBridge.exposeInMainWorld('electron', {
send: (channel, data) => {
const validChannels = ['file:read', 'file:write'];
if (validChannels.includes(channel)) {
ipcRenderer.send(channel, data);
}
}
});
```
### Critical: Missing Context Isolation
```javascript
// BAD: Context isolation disabled
new BrowserWindow({
webPreferences: {
contextIsolation: false, // CRITICAL
preload: path.join(__dirname, 'preload.js')
}
});
// GOOD: Context isolation enabled
new BrowserWindow({
webPreferences: {
contextIsolation: true,
sandbox: true,
preload: path.join(__dirname, 'preload.js')
}
});
```
### High: Unrestricted IPC Handler
```javascript
// BAD: Executing arbitrary commands
ipcMain.handle('execute', async (event, cmd) => {
return exec(cmd); // HIGH RISK
});
// GOOD: Whitelisted commands only
const ALLOWED_COMMANDS = ['list-files', 'get-info'];
ipcMain.handle('execute', async (event, cmd, args) => {
if (!ALLOWED_COMMANDS.includes(cmd)) {
throw new Error('Command not allowed');
}
return executeWhitelistedCommand(cmd, args);
});
```
## Best Practices
1. **Always enable contextIsolation**: Prevents prototype pollution
2. **Use sandbox mode**: Restricts renderer process capabilities
3. **Whitelist IPC channels**: Only expose necessary channels
4. **Validate all IPC inputs**: Never trust renderer input
5. **Avoid dynamic code execution**: No eval/Function in IPC handlers
6. **Implement CSP headers**: Restrict script sources
7. **Use invoke/handle pattern**: Prefer over send/on for request-response
## Related Skills
- `electron-main-preload-generator` - Generate secure boilerplate
- `electron-builder-config` - Build configuration
- `desktop-security-auditor` agent - Comprehensive security review
## Related Agents
- `electron-architect` - Architecture guidance
- `desktop-security-auditor` - Security expertise
## References
- [Electron Security Tutorial](https://www.electronjs.org/docs/latest/tutorial/security)
- [Context Isolation](https://www.electronjs.org/docs/latest/tutorial/context-isolation)
- [Process Sandboxing](https://www.electronjs.org/docs/latest/tutorial/sandbox)Related Skills
web-security
OWASP Top 10, security headers, CSP, XSS prevention, and vulnerability prevention.
security-scanner
Run security scans including SAST, dependency scanning, and secret detection
security-sandbox
Isolated analysis environment management for malware and exploit testing. Create and manage isolated VMs, configure Cuckoo Sandbox, set up REMnux/FlareVM environments, manage Docker-based analysis containers, and capture filesystem and process changes.
Offensive Security Skill
Offensive security tools and techniques integration
hardware-security
Hardware and embedded security research capabilities. Interface with JTAG debuggers, analyze SPI/I2C communications, dump and analyze firmware, support fault injection, side-channel analysis, and hardware exploitation research.
cloud-security-testing
Multi-cloud security assessment and penetration testing capabilities. Execute Prowler/ScoutSuite assessments, analyze IAM policies, identify cloud misconfigurations, test permissions, and enumerate cloud resources across AWS/GCP/Azure.
Burp Suite/Web Security Skill
Web application security testing with Burp Suite integration
aiml-security
AI/ML model security testing and adversarial research capabilities. Generate adversarial examples, test model robustness, perform model extraction attacks, test for data poisoning, analyze model fairness, and support ART framework integration.
vendor-security-questionnaire
Automated vendor security assessment through questionnaire generation, response parsing, and risk scoring
owasp-security-scanner
Automated OWASP Top 10 vulnerability detection and assessment. Run OWASP ZAP automated scans, detect injection vulnerabilities, identify broken authentication patterns, check for sensitive data exposure, analyze security misconfigurations, and generate OWASP-compliant reports.
multi-cloud-security-posture
Unified cloud security posture management across AWS, Azure, and GCP with normalized metrics and CIS benchmark comparison
iac-security-scanner
Infrastructure as Code security scanning and policy enforcement for Terraform, CloudFormation, Kubernetes, and Pulumi