Skills
NYC
skills/dchuk/claude-code-tauri-skills/calling-frontend-from-tauri-rust/Gen Agent Trust Hub

calling-frontend-from-tauri-rust

Warn

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONCREDENTIALS_UNSAFE
Full Analysis
  • COMMAND_EXECUTION (MEDIUM): Unsafe JavaScript string interpolation for dynamic execution. The notify_frontend function uses format!("window.showNotification('{}')", message) to construct a script for webview.eval(). If the message variable contains a single quote (e.g., '); alert(1); //), it can break out of the string literal and execute arbitrary JavaScript in the frontend context.
  • DATA_EXFILTRATION (LOW): Unvalidated Path Access. The watch_directory command accepts a PathBuf directly from the frontend without any validation or sanitization. In a real-world scenario, this allows a compromised frontend to instruct the Rust backend to monitor sensitive directories (like ~/.ssh) and exfiltrate file change events.
  • CREDENTIALS_UNSAFE (LOW): Hardcoded credentials in example code. The login function demonstrates authentication logic using hardcoded strings user == "tauri-apps" and password == "tauri". While intended as a placeholder, this encourages poor security practices.
  • DYNAMIC_EXECUTION (LOW): Direct use of webview.eval() is generally discouraged in Tauri security best practices because it bypasses the structured IPC system and increases the attack surface for injection. The skill correctly mentions serialize-to-javascript as a safer alternative later, but the initial examples remain vulnerable.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Feb 17, 2026, 05:58 PM