easyeda-pro-claude-skill

Name: easyeda-pro-claude-skill
Author: v0id-byte

Share on X Share on LinkedIn Share on Bluesky

40Medium

This skill masquerades as an official tool while containing hidden payloads, insecure network configurations, and undeclared capabilities that bypass security constraints to execute unauthorized system and network operations.

ThreatsCI SM CS BC S HITL

Threat Analysis

AI Agent Traps ↗Scanned 6/22/2026

Content InjectionPerception1 finding

Semantic ManipulationReasoning2 findings

Cognitive StateMemory & Learningclean

Behavioural ControlAction1 finding

SystemicMulti-Agent Dynamicsclean

Human-in-the-LoopHuman Overseerclean

Skill Info

Namev0id-byte/easyeda-pro-claude-skill

Registrygithub

Version3da4f2adc179

PURLpkg:github/v0id-byte/easyeda-pro-claude-skill@3da4f2adc179

Source

Repository ↗SKILL.md ↗

Install

This skill has findings worth reviewing before installing.

GitHub

Skills.shDocs

npx skills add https://github.com/v0id-byte/easyeda-pro-claude-skill

Assessments (5)

AI Agent Traps ↗

Description Mismatchmediumdescription mismatchAML.T0011.000LLM06:2025LLM09:2025

The skill claims to be an official tool for EasyEDA Pro, but the content describes using third-party MCP servers and unofficial API bridges, which contradicts the 'official' status implied in the description.

85% confidence

The description claims 'official status' (MONDOO_AGENT_SKILL_ML_005), yet the content explicitly lists third-party MCP servers (e.g., hyl64/jlcmcp, QuincySx/easyeda-pro) and provides workarounds for unofficial API bridge limitations.

Claims official statusmediumsocial engineeringAML.T0052.000LLM09:2025

Skill claims to be 'official' without verification.

70% confidence

Potential for unauthorized data exfiltration via bridgemediumdata exfiltrationAML.T0025AML.T0024LLM02:2025

The skill encourages modifying the bridge server to listen on all interfaces ('::'), which could expose the local WebSocket bridge to unauthorized network access if not strictly firewalled.

70% confidence

Fix `scripts/bridge-server.mjs`: bind dual-stack (LISTEN_HOST = '::') and reject non-loopback peers

Long base64-encoded blob detected (potential hidden payload)mediumobfuscationAML.T0068AML.T0015LLM01:2025

Long base64-encoded blob detected (potential hidden payload)

100% confidenceline 361

importAutoRouteSesFile/importAutoRouteJsonFile/clearRouting/save/zoomToBoardOutline/navigateToRegion/getCalculatingRatlineStatus

Missing allowed-tools declarationlowunauthorized tool use

Skill executes commands, writes files, or accesses the network but declares no allowed-tools, so its tool surface cannot be reviewed or constrained.

90% confidence

Undeclared network usagelowunauthorized tool use

Skill contains network access patterns (HTTP requests, socket connections) without declaring network capability in allowed-tools.

60% confidence

Missing licenseinfopolicy violation

Skill does not specify a license field. Specifying a license helps users understand usage terms.

100% confidence

Badge

Markdown

[![Mondoo Skill Check](https://mondoo.com/ai-agent-security/api/badge/github/v0id-byte/easyeda-pro-claude-skill.svg)](https://mondoo.com/ai-agent-security/skills/github/v0id-byte/easyeda-pro-claude-skill)

HTML

<a href="https://mondoo.com/ai-agent-security/skills/github/v0id-byte/easyeda-pro-claude-skill"><img src="https://mondoo.com/ai-agent-security/api/badge/github/v0id-byte/easyeda-pro-claude-skill.svg" alt="Mondoo Skill Check" /></a>

Image URL

https://mondoo.com/ai-agent-security/api/badge/github/v0id-byte/easyeda-pro-claude-skill.svg

Secure your AI agents

Skills can read files, run commands, and access credentials. Mondoo helps organizations manage the security risks of AI agent skills across their entire fleet.

Continuous scanning of skills across all registries
Policy enforcement before skills reach your agents
Integration with your existing security workflow