moai-framework-electron
Pass
Audited by Gen Agent Trust Hub on Apr 30, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill documents industry-standard security practices for Electron development, specifically enforcing context isolation, sandboxing renderer processes, and disabling Node.js integration in the renderer to prevent remote code execution.- [COMMAND_EXECUTION]: The main process implementation provides handlers for local file system operations (read, write, delete). To mitigate risk, the skill explicitly provides Zod-based validation schemas and path normalization to prevent path traversal attacks. Evidence found in src/main/ipc/index.ts.- [EXTERNAL_DOWNLOADS]: The skill integrates with electron-updater to fetch application updates from GitHub or S3. This is documented as a standard functionality for maintaining application security and stability through signed updates.- [PROMPT_INJECTION]: Indirect Prompt Injection Surface:
- Ingestion points: IPC handlers in src/main/ipc/index.ts that read from the local file system or persistent storage.
- Boundary markers: Explicit use of contextBridge and contextIsolation to separate high-privilege Node.js environments from low-privilege web content.
- Capability inventory: File system access, network requests (via auto-updater), and window management.
- Sanitization: Implements Zod schema validation for all incoming IPC data and restricts file access through path validation.
Audit Metadata