electron-securitylisted
Install: claude install-skill hlsitechio/claude-skills-security
# Electron Security Audit
Audit Electron desktop apps. Electron combines a Chromium renderer with a Node main process — the most dangerous configurations let renderer code call Node APIs directly.
## When this skill applies
- Reviewing BrowserWindow webPreferences
- Auditing preload scripts and contextBridge usage
- Reviewing IPC channels for unsafe exposure
- Checking deep link / protocol handler implementations
- Reviewing auto-updater configuration
## Workflow
Follow `../_shared/audit-workflow.md`.
### Phase 1: Stack detection
```bash
grep -E '"electron":' package.json
electron --version 2>/dev/null
find . -name 'electron-builder.*' -o -name 'forge.config.*' 2>/dev/null
```
Electron version matters — Chromium and Node versions update together; old Electron = old Chromium = unpatched browser CVEs.
### Phase 2: Inventory
```bash
# BrowserWindow configs
grep -rn 'new BrowserWindow\|webPreferences' src/ main/ 2>/dev/null
# Preload references
grep -rn 'preload:' src/ main/ 2>/dev/null
# IPC handlers
grep -rn 'ipcMain.handle\|ipcMain.on\|ipcRenderer.send\|ipcRenderer.invoke' src/ main/ renderer/ 2>/dev/null
# Context bridge
grep -rn 'contextBridge.exposeInMainWorld' src/ main/ 2>/dev/null
# Webview tags
grep -rn '<webview\|webview:' src/ main/ 2>/dev/null
# Protocol handlers
grep -rn 'app.setAsDefaultProtocolClient\|protocol.registerSchemesAsPrivileged' src/ main/ 2>/dev/null
```
### Phase 3: Detection — the checks
#### BrowserWindow webPreferences
The default-