← Back to Skills Marketplace
1602
Downloads
1
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install esri-smells-consumer
Description
Paid client skill for Esri Workflow Smell Detector via x402 (Base/USDC).
Use when you want to run a deterministic automation preflight scan on an ArcGIS Pro project snapshot
by calling https://api.x402layer.cc/e/esri-smells (HTTP 402 payment flow).
README (SKILL.md)
Esri Workflow Smell Detector (Consumer Skill)
This skill helps an agent call the paid Smell Detector endpoint (x402 pay-per-request) using Base/USDC.
It does not host the service.
How this relates to arcgispro-cli
The expected input, project_snapshot, is the JSON artifact produced by the open-source ArcGIS Pro CLI (arcgispro-cli).
Recommended workflow:
- Use
arcgispro-clito export a project snapshot/context artifact (safe-by-default, no raw data) - Send that JSON to this paid endpoint for a deterministic preflight risk report
- Use the report to decide whether to proceed with automation (ArcPy/GP/AGOL) and what to fix first
This keeps a clean boundary:
- Open core (
arcgispro-cli) answers: what is in the project - Paid layer (this service) answers: how risky is it to automate, and why
Endpoint
POST https://api.x402layer.cc/e/esri-smells
Input
Required JSON body:
{
"project_snapshot": { },
"constraints": {
"target": "arcpy" | "geoprocessing" | "agol",
"deployment": "desktop" | "server",
"max_runtime_sec": 300
}
}
Output (guaranteed fields)
summaryrisk_score(0.0–1.0)issues[]flagsversionrequestHash
Determinism
- Stateless
- No external network calls (beyond the paid endpoint itself)
- Same input produces same output
- Safe to cache by
requestHash
Pricing
- x402 pay-per-request on Base
- Target price: $0.001 per call
How to call (Python helper)
- Install deps:
pip install -r {baseDir}/requirements.txt
- Set wallet env (consumer wallet):
export PRIVATE_KEY="0x..."
export WALLET_ADDRESS="0x..."
- Call the endpoint:
python {baseDir}/scripts/call_smells.py path/to/project_snapshot.json
Notes
- The script implements the x402 HTTP 402 challenge flow and retries with
X-Payment. - If the endpoint is unreachable or the network rejects the payment, surface the error as-is.
Usage Guidance
This client appears to be a legitimate payment-enabled caller for a paid Esri smell-detection endpoint, but there are important cautions: (1) The script requires your EVM private key (PRIVATE_KEY) and wallet address, yet the registry metadata fails to declare these credentials — treat that omission as suspicious. Supplying a private key to third-party code can expose funds: prefer using an ephemeral wallet with only a small balance, or sign transactions locally with a hardware wallet or separate signing step instead of exporting the raw private key as an env var. (2) Verify the endpoint domain and the pay-to address returned in the 402 challenge before making payments; confirm the USDC contract address and the intended recipient. (3) Inspect or run the script in an isolated environment and test with a minimal value first. (4) Ask the publisher to correct the registry metadata to list required env vars and to provide a homepage or publisher identity and an auditable payment flow description. If you cannot confirm the service and recipient, do not provide your primary private key or funds.
Capability Analysis
Type: OpenClaw Skill
Name: esri-smells-consumer
Version: 1.0.0
The skill is designed to be a paid client for an external API, requiring the use of a private key to sign payment transactions. The `SKILL.md` clearly states this requirement, instructing the user to provide `PRIVATE_KEY` and `WALLET_ADDRESS` environment variables. The `scripts/call_smells.py` script reads these variables and uses them solely for generating an `X-Payment` header to the specified `https://api.x402layer.cc/e/esri-smells` endpoint, which aligns with its stated purpose. There is no evidence of data exfiltration to unauthorized destinations, malicious execution, persistence mechanisms, or prompt injection attempts against the agent to perform actions beyond the skill's scope.
Capability Assessment
Purpose & Capability
The name/description, SKILL.md, and included Python client all align: they call https://api.x402layer.cc/e/esri-smells using an x402 HTTP 402 pay-per-request flow on Base/USDC. However the registry metadata lists no required environment variables or primary credential even though both SKILL.md and scripts/call_smells.py require PRIVATE_KEY and WALLET_ADDRESS. That metadata omission is an inconsistency that should have been declared.
Instruction Scope
Runtime instructions are narrowly scoped: install two Python deps, set PRIVATE_KEY and WALLET_ADDRESS env vars, and run the script with a project snapshot JSON. The script reads only the provided snapshot file and contacts the declared endpoint. It does not try to read other system paths or unrelated environment variables.
Install Mechanism
No install spec; included files are a small Python script and requirements.txt referencing well-known packages (requests, eth-account). No remote downloads or extract-from-URL steps are present.
Credentials
The script requires a sensitive EVM private key (PRIVATE_KEY) and WALLET_ADDRESS to sign a TransferWithAuthorization for USDC — this is proportionate to a client performing an on-chain/off-chain payment authorization, but it is high-risk. The skill metadata failing to declare these required secrets is a red flag. Users should not store primary funds in a key provided to third-party code and should validate the recipient/pay-to address and contract behavior before authorizing.
Persistence & Privilege
The skill is not always-enabled and does not attempt to modify other skills or system configuration. Autonomous invocation is allowed (normal default) but note that granting autonomous runs plus access to a private key would increase blast radius — here the metadata/declared permissions mismatch increases that concern.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install esri-smells-consumer - After installation, invoke the skill by name or use
/esri-smells-consumer - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial consumer skill for calling the paid x402 endpoint (Base) for Esri workflow smell detection. References arcgispro-cli project_snapshot output.
Metadata
Frequently Asked Questions
What is Esri Workflow Smell Detector (Consumer)?
Paid client skill for Esri Workflow Smell Detector via x402 (Base/USDC). Use when you want to run a deterministic automation preflight scan on an ArcGIS Pro project snapshot by calling https://api.x402layer.cc/e/esri-smells (HTTP 402 payment flow). It is an AI Agent Skill for Claude Code / OpenClaw, with 1602 downloads so far.
How do I install Esri Workflow Smell Detector (Consumer)?
Run "/install esri-smells-consumer" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Esri Workflow Smell Detector (Consumer) free?
Yes, Esri Workflow Smell Detector (Consumer) is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Esri Workflow Smell Detector (Consumer) support?
Esri Workflow Smell Detector (Consumer) is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Esri Workflow Smell Detector (Consumer)?
It is built and maintained by danmaps (@danmaps); the current version is v1.0.0.
More Skills