They are using node-webkit which means any javascript has unrestricted access to the nodejs api http://nodejs.org/api/. It wouldn't be hard to do something malicious with those low level filesystem, network and process modules.