Back to skill

Security audit

EasyEDA API Skill

Security checks across malware telemetry and agentic risk

Overview

This skill is a real EasyEDA automation helper, but it exposes a background local bridge that can run arbitrary code inside the user's active EasyEDA session.

Install only if you intentionally want an AI agent to control EasyEDA. Use it on backed-up projects, verify the selected EasyEDA window, require the agent to show and get approval for code before it modifies, deletes, orders, or writes files, and stop the bridge when finished.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (24)

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The documentation presents deletePcb as a PCB deletion API, but the remarks disclose broader side effects: deleting associated schematics and reusable-module symbols as well. In an agent-execution context, this is dangerous because an agent or user may invoke what appears to be a scoped operation and unintentionally cause irreversible cross-artifact data loss.

Intent-Code Divergence

Low
Confidence
84% confidence
Finding
The rename API is documented as modifying a PCB name, but the remarks indicate it also renames associated schematic and reusable-module symbol names. This hidden coupling can cause unintended project-wide changes, breaking references, workflows, or expectations when an agent believes it is performing a local rename only.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The order-placement documentation states that non-interactive mode can silently check warnings and open an order page, while the remarks say only interactive checking is currently supported and parameters have no effect. This inconsistency can mislead an agent into assuming it can safely suppress prompts or warnings, increasing the chance of unintended procurement workflow initiation or unsafe automation around purchasing actions.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The parameter descriptions for placeComponentsOrder describe silent execution and warning bypass behavior, but the remarks say those inputs currently do nothing and only interactive checks are supported. For agent use, contradictory docs around a procurement API are dangerous because they can cause developers to build automation that assumes transactional safeguards or suppression behavior that does not exist.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The placePcbOrder docs claim non-interactive and ignoreWarning semantics, but the remarks state that the API currently only supports interactive checks and the parameters are placeholders. This mismatch can cause unsafe assumptions in automation and may lead an agent to trigger external PCB order flows believing it is only performing a dry-run or gated validation.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The placeSmtComponentsOrder docs contain the same contradiction: parameters are documented as controlling silent checks and warning suppression, but remarks say the API is interactive-only and parameters are ineffective. In an agent context, this increases risk of accidental SMT procurement actions or reliance on nonexistent safeguards around external actions.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The documented class exposes general-purpose local filesystem capabilities including path discovery, listing, read, write, and delete operations that are not inherently limited to EDA project data. In an agent skill context, this materially expands the blast radius: if an agent is prompted or manipulated into using these APIs, it could access or modify arbitrary local files once the required client mode and permissions are enabled.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The documentation explicitly states that callers can close WebSocket connections created by other extensions by supplying another extension's UUID. Cross-extension control breaks isolation expectations and could let an extension interfere with, disrupt, or hijack another extension's communications if the platform permission model allows it. In the context of an agent skill that exposes a live bridge into a running EasyEDA client, this capability is more dangerous because it can affect active automation or debugging sessions beyond the caller's own scope.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The send method allows data to be transmitted over WebSocket connections owned by other extensions via extensionUuid. That creates a cross-extension message injection primitive, which can be abused to impersonate trusted traffic, manipulate connected services, or exfiltrate data through another extension's established channel. Given this skill's stated support for a WebSocket bridge server and live execution against the EasyEDA client, the ability to inject into another extension's socket is especially risky.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README explicitly documents an HTTP endpoint that accepts arbitrary JavaScript and forwards it to the connected EasyEDA client for execution, but it provides no warning, authentication, authorization, or usage restrictions. In a skill intended for AI agents, this is especially dangerous because an agent or local process could invoke the bridge and cause unintended code execution inside the EDA environment, potentially modifying projects or exfiltrating design data.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The skill registers on very broad triggers such as "EDA", "PCB", "schematic", and "EasyEDA", which can cause unintended activation during unrelated conversations. Because this skill can launch a local bridge and issue code-execution requests into a running EasyEDA client, accidental invocation increases the chance of unreviewed side effects and overbroad tool access.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The activation phrase at this location is highly generic and can be matched in ordinary discussion, causing the skill to take over a session unexpectedly. In this skill's context, unintended activation is more dangerous than usual because startup instructions include background server management and later support code execution against a connected desktop application.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The file documents destructive deletion behavior without an explicit warning banner, caution note, or usage guidance for safe execution. In this skill's context, where APIs may be used by agents through a live bridge into a running EasyEDA client, missing warnings materially increase the chance of accidental destructive actions and silent data loss.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation explicitly states that opening another project can directly discard all unsaved changes, but it provides no guidance to check save state, prompt the user, or require confirmation before invoking the operation. In an agent-execution context, this is dangerous because an automated workflow may call the API and silently cause irreversible data loss in the active EasyEDA session.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation exposes destructive deletion APIs, and the remarks explicitly note cascading side effects such as deleting associated PCB data and reusable module symbols. In an agent-consumable skill, documenting destructive operations without prominent warnings, confirmation guidance, or safe-use constraints increases the chance an agent will invoke them inappropriately and cause irreversible project data loss.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation describes ordering APIs that can proceed toward manufacturing procurement and open order pages, but it lacks a strong warning about real-world transactional effects. In an agent skill, exposing procurement-triggering actions without prominent caution materially raises the risk of unintended purchases or supply-chain actions initiated from ambiguous prompts.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The component ordering API is documented functionally but does not prominently warn that it can affect external/vendor procurement systems. For agent-driven use, omission of this warning is dangerous because the model may treat it as a routine local operation rather than a transactional action with real-world consequences.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The PCB ordering API documentation omits a clear warning that invoking it may start an external order flow for fabricated boards. In the context of an automation skill, this can lead to accidental manufacturing initiation, especially if an agent interprets the method as a harmless validation or export step.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The SMT ordering API similarly lacks an explicit warning about initiating a real-world external order process. Because SMT assembly involves procurement and manufacturing operations, insufficient warning in agent-facing docs can cause unintended operational and financial impact.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The delete API supports deletion of both files and folders, including forced recursive-like folder deletion, but the documentation does not require confirmation, preview, or warnings about destructive consequences. In an agent-driven environment, this omission increases the chance that a model or extension author uses the API unsafely and causes irreversible local data loss.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The write API allows writing to arbitrary filesystem URIs and optionally overwriting existing files when force is enabled, yet the documentation lacks prominent warnings about overwrite risk and local file modification hazards. In a skill intended for AI agents, this can enable silent corruption of user files if prompts, tools, or wrappers do not add their own safeguards.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The bridge exposes an HTTP POST /execute endpoint and agent WebSocket execute messages that forward arbitrary JavaScript code to a connected EasyEDA client, with no authentication, authorization, origin restriction, or user confirmation. Although the server binds to localhost, any local process, browser page via permissive CORS, or malware on the host can invoke it and drive code execution inside the EasyEDA context, which is especially dangerous because the skill is explicitly designed as a code-execution bridge.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation instructs users to enable an extension's External Interactions permission for network access, but it does not warn that third-party extensions may transmit project data, metadata, or credentials to external services. In an extension ecosystem for PCB/schematic tools, this is security-relevant because design files and supply-chain information can be sensitive, and users may grant network capability without understanding the trust implications.

Hidden Instructions

High
Category
Prompt Injection
Content
_(Optional)_ 在非交互式检查时忽略警告

如果设置为 `true`<!-- -->,将会忽略所有检查警告项并尽可能生成下单资料;

如果设置为 `false`<!-- -->,存在任意警告将中断执行并返回 `false` 的结果
Confidence
87% confidence
Finding
<!-- -->,将会忽略所有检查警告项并尽可能生成下单资料; 如果设置为 `false`<!-- -->,存在任意警告将中断执行并返回 `false` 的结果 </td></tr> </tbody></table> ## Returns Promise&lt;boolean&gt; 是否通过下单检查 ### placesmtcomponentsorder # SCH\_Man

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.