EasyEDA API Skill
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a real EasyEDA automation helper, but it gives an AI a background bridge that can run code inside your EasyEDA app, so it should be reviewed before use.
Install this only if you intentionally want an AI agent to control EasyEDA. Before using it on important designs, review the bridge server and extension source if possible, keep project backups, ask the agent to show code before execution, and stop the background bridge when finished.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent could run code that reads or changes PCB, schematic, library, or project state in the active EasyEDA environment.
The documented workflow exposes a raw code-execution endpoint into the running EasyEDA client. That is central to the skill, but it is broad authority over EDA projects without a documented approval or scoping layer.
WebSocket bridge — Execute code in the running EasyEDA Pro client; curl -X POST http://localhost:${BRIDGE_PORT:-49620}/executeUse only when you intentionally want AI-driven EasyEDA automation; require the agent to show code and ask before destructive or project-mutating actions.
The local bridge may remain running and able to receive execution requests after the immediate task is finished.
The skill explicitly starts a long-running background service that remains available after the setup command; the provided instructions do not include an equivalent stop or cleanup boundary.
The bridge server must run in the background... node ${CLAUDE_SKILL_DIR}/scripts/bridge-server.mjs &Stop the bridge when finished, and prefer an implementation that binds only to localhost, authenticates requests, and documents how to shut it down.
If another local process can reach the bridge, it may be able to interact with a service intended to expose EasyEDA project data and execution.
The bridge communication boundary is described as port scanning plus a service-name handshake, while direct localhost /execute examples are also documented; no stronger identity, origin, or permission control is described in the supplied artifacts.
Both AI and EDA clients auto-discover the server by scanning the port range and verifying a handshake (`service: "easyeda-bridge"`).
Run the bridge only while needed, avoid sensitive projects unless necessary, and look for authentication/origin checks in the bridge implementation before use.
Changes made through the bridge may be applied as if the user performed them in EasyEDA.
The skill operates through the user's active EasyEDA client context. This is expected for the stated purpose, but users should recognize that actions may occur with their current project/workspace authority.
including PCB design, schematic editing, footprint/symbol management, and project operations ... Execute code in the running EasyEDA Pro client
Use backups/version control, confirm the selected EasyEDA window, and require approval before actions that modify or delete project, library, or workspace data.
Installing the skill may also install Node dependencies and requires a companion EasyEDA extension.
The skill relies on npm dependencies and a separate EasyEDA extension download. That is consistent with the bridge purpose, but it adds external components that users must trust.
cd ${CLAUDE_SKILL_DIR} && npm install; Install the `run-api-gateway.eext` extension in EasyEDA Pro. Download link: https://ext.lceda.cn/item/oshwhub/run-api-gatewayInstall only from trusted sources, review dependency and extension provenance, and avoid running the bridge on sensitive projects until satisfied with the source.