← Back to Skills Marketplace

Electron

Name: Electron
Author: ivangdavila

by Iván · GitHub ↗ · v1.0.0

linuxdarwinwin32 ✓ Security Clean

1310

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install electron

Description

Build Electron desktop apps with secure architecture and common pitfall avoidance.

README (SKILL.md)

Security Non-Negotiables

nodeIntegration: false is mandatory — renderer with Node.js access means XSS = full system compromise
contextIsolation: true is mandatory — separates preload context from renderer
Whitelist IPC channels explicitly — never forward arbitrary channel names from renderer
Validate all IPC message content — renderer is untrusted, treat like external API input
Never use eval() or new Function() in renderer — defeats all security boundaries

Preload Script Rules

contextBridge.exposeInMainWorld() is the only safe bridge — raw ipcRenderer exposure is vulnerable
Clone data before passing across bridge — prevents prototype pollution attacks
Minimal API surface — expose specific functions, not generic send/receive

Architecture Traps

webPreferences locked after window creation — can't enable nodeIntegration later
Blocking main process freezes ALL windows — async everything, no sync file operations
Each BrowserWindow is separate renderer process — can't share JS variables directly
show: false then ready-to-show — prevents white flash, looks more native

Native Module Pain

Pre-built native modules won't work — must rebuild for Electron's specific Node version
electron-rebuild after every Electron upgrade — version mismatch = runtime crash
N-API modules more stable — survive Electron upgrades better than nan-based

Packaging Pitfalls

Dev dependencies included by default — production builds bloat without explicit exclusion
Code signing required for macOS auto-update — unsigned apps can't use Squirrel
Windows notifications require app.setAppUserModelId() — silent failure without it
ASAR isn't encryption — source readable with simple tools, don't rely on it for secrets

Platform-Specific Issues

CORS blocks file:// protocol — use custom protocol (app://) or local server
Windows needs NSIS or Squirrel for auto-update — installer format matters
macOS universal binary needs --universal flag — ships both Intel and ARM

Memory and Performance

Unclosed windows leak memory — call win.destroy() explicitly when done
Lazy load heavy modules — startup time directly affects perceived quality
backgroundThrottling: false if timers matter when minimized

Debugging

Main process: --inspect flag, connect via chrome://inspect
Renderer: webContents.openDevTools() or keyboard shortcut
electron-log for persistent logs — console.log vanishes on restart

Usage Guidance

This skill is a documentation-only guide (no code, no installs) and appears internally consistent with its stated purpose. It will not access secrets or modify system state. Before installing: (1) recognize it provides advice only — it won't build or run apps for you; (2) ensure you have npm on PATH if you expect to follow its guidance; (3) consider the lack of provenance (no homepage, unknown source/owner ID) — treat recommendations as guidance and cross-check against official Electron docs if you need authoritative or up-to-date instructions.

Capability Analysis

Type: OpenClaw Skill Name: electron Version: 1.0.0 The skill bundle provides comprehensive documentation and best practices for building secure Electron applications. It explicitly warns against common security pitfalls (e.g., `nodeIntegration`, `eval()`, `contextIsolation`) and promotes secure coding patterns. There are no indicators of malicious prompt injection, data exfiltration, unauthorized command execution, or other harmful activities in `SKILL.md` or `_meta.json`. The `npm` dependency is legitimate for the stated purpose.

Capability Assessment

✓ Purpose & Capability

Name/description match the content: SKILL.md contains Electron security and packaging guidance. Declared requirement (npm) is reasonable for Electron-related workflows. Minor note: it does not require an electron binary or other build tools (but npm is commonly used to install those).

✓ Instruction Scope

Instructions are narrowly scoped to secure Electron architecture, IPC, preload rules, packaging pitfalls, and debugging tips. They do not ask the agent to read arbitrary files, access credentials, or send data to external endpoints.

✓ Install Mechanism

No install spec and no code files are present (instruction-only). This minimizes disk writes and execution risk.

✓ Credentials

No environment variables, credentials, or config paths are requested. The skill does not ask for unrelated secrets or permissions.

✓ Persistence & Privilege

Skill is not marked always:true and does not request persistent or elevated privileges. Autonomous invocation is allowed (platform default) but appropriate here for an advice skill.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install electron
After installation, invoke the skill by name or use /electron
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.0

Initial release

Metadata

Slug electron

Version 1.0.0

License —

All-time Installs 12

Active Installs 10

Total Versions 1

Frequently Asked Questions

What is Electron?

Build Electron desktop apps with secure architecture and common pitfall avoidance. It is an AI Agent Skill for Claude Code / OpenClaw, with 1310 downloads so far.

How do I install Electron?

Run "/install electron" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Electron free?

Yes, Electron is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Electron support?

Electron is cross-platform and runs anywhere OpenClaw / Claude Code is available (linux, darwin, win32).

Who created Electron?

It is built and maintained by Iván (@ivangdavila); the current version is v1.0.0.

More Skills