easyeda-api

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). The package exposes an intentional local "bridge" (HTTP/WS) and an /execute API that runs arbitrary JavaScript inside the user's EasyEDA runtime/extension contexts and documents; combined with APIs that can read/write project/files, open iframes with broader browser/hardware access, and make external HTTP/WebSocket requests, this provides a remote-code-execution/backdoor capability that can be abused for data exfiltration, credential theft, persistence or supply-chain abuse.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill's runtime explicitly requires installing the EasyEDA extension from https://ext.lceda.cn/item/oshwhub/run-api-gateway, which fetches and installs remote code that executes in the EasyEDA client and is required for the bridge connection.