功能描述

Paid client skill for Esri Workflow Smell Detector via x402 (Base/USDC). Use when you want to run a deterministic automation preflight scan on an ArcGIS Pro project snapshot by calling https://api.x402layer.cc/e/esri-smells (HTTP 402 payment flow).

使用说明 (SKILL.md)

Esri Workflow Smell Detector (Consumer Skill)

Name: Esri Workflow Smell Detector (Consumer)
Author: danmaps

This skill helps an agent call the paid Smell Detector endpoint (x402 pay-per-request) using Base/USDC.

It does not host the service.

How this relates to arcgispro-cli

The expected input, project_snapshot, is the JSON artifact produced by the open-source ArcGIS Pro CLI (arcgispro-cli).

Recommended workflow:

Use arcgispro-cli to export a project snapshot/context artifact (safe-by-default, no raw data)
Send that JSON to this paid endpoint for a deterministic preflight risk report
Use the report to decide whether to proceed with automation (ArcPy/GP/AGOL) and what to fix first

This keeps a clean boundary:

Open core (arcgispro-cli) answers: what is in the project
Paid layer (this service) answers: how risky is it to automate, and why

Endpoint

POST https://api.x402layer.cc/e/esri-smells

Input

Required JSON body:

{
  "project_snapshot": { },
  "constraints": {
    "target": "arcpy" | "geoprocessing" | "agol",
    "deployment": "desktop" | "server",
    "max_runtime_sec": 300
  }
}

Output (guaranteed fields)

summary
risk_score (0.0–1.0)
issues[]
flags
version
requestHash

Determinism

Stateless
No external network calls (beyond the paid endpoint itself)
Same input produces same output
Safe to cache by requestHash

Pricing

x402 pay-per-request on Base
Target price: $0.001 per call

How to call (Python helper)

Install deps:

pip install -r {baseDir}/requirements.txt

Set wallet env (consumer wallet):

export PRIVATE_KEY="0x..."
export WALLET_ADDRESS="0x..."

Call the endpoint:

python {baseDir}/scripts/call_smells.py path/to/project_snapshot.json

Notes

The script implements the x402 HTTP 402 challenge flow and retries with X-Payment.
If the endpoint is unreachable or the network rejects the payment, surface the error as-is.

安全使用建议

This client appears to be a legitimate payment-enabled caller for a paid Esri smell-detection endpoint, but there are important cautions: (1) The script requires your EVM private key (PRIVATE_KEY) and wallet address, yet the registry metadata fails to declare these credentials — treat that omission as suspicious. Supplying a private key to third-party code can expose funds: prefer using an ephemeral wallet with only a small balance, or sign transactions locally with a hardware wallet or separate signing step instead of exporting the raw private key as an env var. (2) Verify the endpoint domain and the pay-to address returned in the 402 challenge before making payments; confirm the USDC contract address and the intended recipient. (3) Inspect or run the script in an isolated environment and test with a minimal value first. (4) Ask the publisher to correct the registry metadata to list required env vars and to provide a homepage or publisher identity and an auditable payment flow description. If you cannot confirm the service and recipient, do not provide your primary private key or funds.

功能分析

Type: OpenClaw Skill Name: esri-smells-consumer Version: 1.0.0 The skill is designed to be a paid client for an external API, requiring the use of a private key to sign payment transactions. The `SKILL.md` clearly states this requirement, instructing the user to provide `PRIVATE_KEY` and `WALLET_ADDRESS` environment variables. The `scripts/call_smells.py` script reads these variables and uses them solely for generating an `X-Payment` header to the specified `https://api.x402layer.cc/e/esri-smells` endpoint, which aligns with its stated purpose. There is no evidence of data exfiltration to unauthorized destinations, malicious execution, persistence mechanisms, or prompt injection attempts against the agent to perform actions beyond the skill's scope.

能力评估

ℹ Purpose & Capability

The name/description, SKILL.md, and included Python client all align: they call https://api.x402layer.cc/e/esri-smells using an x402 HTTP 402 pay-per-request flow on Base/USDC. However the registry metadata lists no required environment variables or primary credential even though both SKILL.md and scripts/call_smells.py require PRIVATE_KEY and WALLET_ADDRESS. That metadata omission is an inconsistency that should have been declared.

✓ Instruction Scope

Runtime instructions are narrowly scoped: install two Python deps, set PRIVATE_KEY and WALLET_ADDRESS env vars, and run the script with a project snapshot JSON. The script reads only the provided snapshot file and contacts the declared endpoint. It does not try to read other system paths or unrelated environment variables.

✓ Install Mechanism

No install spec; included files are a small Python script and requirements.txt referencing well-known packages (requests, eth-account). No remote downloads or extract-from-URL steps are present.

⚠ Credentials

The script requires a sensitive EVM private key (PRIVATE_KEY) and WALLET_ADDRESS to sign a TransferWithAuthorization for USDC — this is proportionate to a client performing an on-chain/off-chain payment authorization, but it is high-risk. The skill metadata failing to declare these required secrets is a red flag. Users should not store primary funds in a key provided to third-party code and should validate the recipient/pay-to address and contract behavior before authorizing.

✓ Persistence & Privilege

The skill is not always-enabled and does not attempt to modify other skills or system configuration. Autonomous invocation is allowed (normal default) but note that granting autonomous runs plus access to a private key would increase blast radius — here the metadata/declared permissions mismatch increases that concern.

版本历史

v1.0.0

Initial consumer skill for calling the paid x402 endpoint (Base) for Esri workflow smell detection. References arcgispro-cli project_snapshot output.

元数据

Slug esri-smells-consumer

版本 1.0.0

许可证 —

累计安装 0

当前安装数 0

历史版本数 1

常见问题

Esri Workflow Smell Detector (Consumer) 是什么？

Paid client skill for Esri Workflow Smell Detector via x402 (Base/USDC). Use when you want to run a deterministic automation preflight scan on an ArcGIS Pro project snapshot by calling https://api.x402layer.cc/e/esri-smells (HTTP 402 payment flow). 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 1602 次。

如何安装 Esri Workflow Smell Detector (Consumer)？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install esri-smells-consumer」即可一键安装，无需额外配置。

Esri Workflow Smell Detector (Consumer) 是免费的吗？

是的，Esri Workflow Smell Detector (Consumer) 完全免费（开源免费），可自由下载、安装和使用。

Esri Workflow Smell Detector (Consumer) 支持哪些平台？

Esri Workflow Smell Detector (Consumer) 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 Esri Workflow Smell Detector (Consumer)？

由 danmaps（@danmaps）开发并维护，当前版本 v1.0.0。

Esri Workflow Smell Detector (Consumer)