EasyEDA API Skill
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: easyeda-api Version: 1.1.3 The skill bundle implements a local bridge server (scripts/bridge-server.mjs) that facilitates arbitrary JavaScript execution within the EasyEDA Pro browser context. While this architecture is aligned with the stated purpose of providing an EDA API for AI agents, the bridge server lacks any authentication or authorization mechanisms, allowing any local process to send code to the '/execute' endpoint. Furthermore, SKILL.md contains instructions for the agent to perform high-privilege actions such as 'npm install' and running background processes. Although no clear evidence of intentional malice or data exfiltration was found, the inherent risk of an unauthenticated RCE bridge and the broad execution capabilities make the bundle suspicious from a security perspective.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this bridge could inspect or change the active EasyEDA project, schematic, PCB, libraries, or other client state if it sends mutating code.
The skill exposes a generic code execution endpoint into the running EasyEDA client. This is central to the skill, but it is broad authority and the shown instructions do not define approval, read-only defaults, or operation-level limits.
curl -X POST http://localhost:${BRIDGE_PORT:-49620}/execute ... -d '{"code": "return await eda.dmt_Project.getCurrentProjectInfo();"}'Use only with trusted agents and projects, keep backups, require explicit confirmation before edits/deletes/publishing, and prefer scoped helper commands over arbitrary code execution where possible.
The agent may act with your EasyEDA permissions in the selected window, even though the skill does not request separate credentials.
The bridge operates inside the user's active EasyEDA client, so actions inherit whatever project, library, workspace, or account permissions that client has.
Execute code in the running EasyEDA Pro client ... including PCB design, schematic editing, footprint/symbol management, and project operations.
Confirm the active EasyEDA window and account before use, and avoid running the bridge while sensitive or unrelated projects are open.
Installing the companion extension expands the trusted code involved in controlling EasyEDA.
The documented workflow depends on an external EasyEDA extension in addition to the local skill files. This is purpose-aligned, but users must trust that extension source.
Install the `run-api-gateway.eext` extension in EasyEDA Pro. Download link: https://ext.lceda.cn/item/oshwhub/run-api-gateway
Install the extension only from the official/expected publisher, verify the version, and remove or disable it when not needed.
Code and results may pass through the bridge, and incorrect or unintended local connections could matter if the bridge is reachable beyond the intended agent/client pair.
The bridge uses local HTTP/WebSocket discovery and a service-name handshake to connect the agent and EasyEDA client. The shown documentation does not describe stronger authentication or per-session authorization.
Both AI and EDA clients auto-discover the server by scanning the port range and verifying a handshake (`service: "easyeda-bridge"`).
Ensure the bridge binds only to localhost, add or verify a per-session token if available, and stop the bridge after the EasyEDA session.
The local bridge may keep running and remain able to accept EasyEDA automation requests until stopped.
The skill explicitly starts a long-running background bridge process. This is disclosed and fits the purpose, but it can remain available after the immediate task.
The bridge server must run in the background ... node ${CLAUDE_SKILL_DIR}/scripts/bridge-server.mjs &Stop the Node bridge process when finished, especially before opening unrelated EasyEDA projects.