← Back to list
security-patterns
by andyngdz
Generate images with Stable Diffusion, run LLMs, and more, all on your local machine.
⭐ 6🍴 0📅 Jan 23, 2026
Run in ManusSKILL.md
name: security-patterns description: Use when working with Electron - IPC security, renderer isolation, Node API access
Electron Security Patterns
Use this skill when implementing features that interact with Electron APIs or system resources.
Checklist
Core Security Principle
- Renderer process cannot access Node.js APIs directly
- This is enforced by Electron's contextIsolation
- All system access must go through IPC bridges
- Prevents malicious code from accessing system resources
IPC Bridge Pattern
- Define IPC handlers in
electron/preload.ts- Use
contextBridge.exposeInMainWorld()to expose APIs - Create type-safe interfaces for exposed APIs
- Follow the
window.electronAPInamespace convention
- Use
Example: Adding New Electron API
Step 1: Define handler in preload.ts
// electron/preload.ts
import { contextBridge, ipcRenderer } from 'electron'
contextBridge.exposeInMainWorld('electronAPI', {
backend: {
start: () => ipcRenderer.invoke('backend:start'),
stop: () => ipcRenderer.invoke('backend:stop'),
// Add new method here
getStatus: () => ipcRenderer.invoke('backend:status')
}
})
Step 2: Implement handler in main process
// electron/main.ts
ipcMain.handle('backend:status', async () => {
// Access Node.js APIs safely here
return await checkBackendStatus()
})
Step 3: Use in renderer process
// src/components/MyComponent.tsx
'use client'
const status = await window.electronAPI.backend.getStatus()
Security Checklist
- Never expose raw IPC methods to renderer
- Don't expose
ipcRenderer.send()oripcRenderer.invoke()directly - Create specific, scoped methods instead
- Don't expose
- Validate all IPC inputs in main process
- Don't trust data from renderer process
- Sanitize file paths, validate ranges, check types
- Use typed interfaces for IPC communication
- Define types in
types/directory - Share types between main and renderer processes
- Define types in
- Minimize exposed surface area
- Only expose what's necessary
- Don't create generic "execute command" handlers
Common Patterns
File system access:
// ✅ Good - specific, validated
contextBridge.exposeInMainWorld('electronAPI', {
files: {
readConfig: () => ipcRenderer.invoke('files:read-config'),
saveImage: (data: Buffer) => ipcRenderer.invoke('files:save-image', data)
}
})
// ❌ Bad - too generic, security risk
contextBridge.exposeInMainWorld('electronAPI', {
files: {
read: (path: string) => ipcRenderer.invoke('files:read', path) // Unsafe!
}
})
Process management:
// ✅ Good - scoped to backend process
backend: {
start: () => ipcRenderer.invoke('backend:start'),
stop: () => ipcRenderer.invoke('backend:stop')
}
// ❌ Bad - can execute arbitrary commands
system: {
exec: (command: string) => ipcRenderer.invoke('exec', command) // Very unsafe!
}
Reference
See Electron Security Guide: https://www.electronjs.org/docs/latest/tutorial/security
Score
Total Score
65/100
Based on repository quality metrics
✓SKILL.md
SKILL.mdファイルが含まれている
+20
✓LICENSE
ライセンスが設定されている
+10
○説明文
100文字以上の説明がある
0/10
○人気
GitHub Stars 100以上
0/15
✓最近の活動
1ヶ月以内に更新
+10
○フォーク
10回以上フォークされている
0/5
✓Issue管理
オープンIssueが50未満
+5
✓言語
プログラミング言語が設定されている
+5
✓タグ
1つ以上のタグが設定されている
+5
Reviews
💬
Reviews coming soon
