Back to skill

Security audit

EasyEDA Agent

Security checks across malware telemetry and agentic risk

Overview

The skill is a disclosed EasyEDA automation helper that can modify live schematic and PCB data, with no evidence of hidden exfiltration or deceptive behavior.

Install this only if you want an agent to operate EasyEDA projects on your machine. Keep project backups, require confirmation before delete, clear, import, bulk layout, or save operations, and prefer dry-run or readback checks before applying changes. Expect optional network access to JLCPCB for part selection and local artifact/baseline files under EasyEDA-related directories.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill instructs use of a local CLI/daemon and bundled scripts that imply shell execution, file read/write, environment access, and likely networked part/library operations, but it declares no permissions or capability boundaries. This creates an authorization and transparency gap: an agent may perform powerful local actions without explicit user-visible consent or sandbox expectations, increasing the risk of unintended file changes, command execution, or data exfiltration in a sensitive design environment.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The module exposes destructive operations such as delete() and clear_wires_flags() that can remove components, wires, and flags immediately, with no confirmation, dry-run mode, scope restriction, or audit trail. In an agent-driven automation skill for live schematic editing, this increases the risk of accidental or prompt-induced destructive changes to design data.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.