技能详情(站内镜像,无评论)
许可证:MIT-0
MIT-0 ·免费使用、修改和重新分发。无需归因。
版本:v1.0.0
统计:⭐ 1 · 1.4k · 0 current installs · 0 all-time installs
⭐ 1
安装量(当前) 0
🛡 VirusTotal :良性 · OpenClaw :可疑
Package:danmaps/esri-smells-consumer
安全扫描(ClawHub)
- VirusTotal :良性
- OpenClaw :可疑
OpenClaw 评估
The skill's code and instructions do what the description says (call a paid x402 endpoint and sign a Base/USDC authorization), but the registry metadata omits the sensitive environment variables the script actually requires and there are proportionality risks around supplying a private key to the skill.
目的
The name/description, SKILL.md, and included Python client all align: they call https://api.x402layer.cc/e/esri-smells using an x402 HTTP 402 pay-per-request flow on Base/USDC. However the registry metadata lists no required environment variables or primary credential even though both SKILL.md and scripts/call_smells.py require PRIVATE_KEY and WALLET_ADDRESS. That metadata omission is an inconsistency that should have been declared.
说明范围
Runtime instructions are narrowly scoped: install two Python deps, set PRIVATE_KEY and WALLET_ADDRESS env vars, and run the script with a project snapshot JSON. The script reads only the provided snapshot file and contacts the declared endpoint. It does not try to read other system paths or unrelated environment variables.
安装机制
No install spec; included files are a small Python script and requirements.txt referencing well-known packages (requests, eth-account). No remote downloads or extract-from-URL steps are present.
证书
The script requires a sensitive EVM private key (PRIVATE_KEY) and WALLET_ADDRESS to sign a TransferWithAuthorization for USDC — this is proportionate to a client performing an on-chain/off-chain payment authorization, but it is high-risk. The skill metadata failing to declare these required secrets is a red flag. Users should not store primary funds in a key provided to third-party code and should validate the recipient/pay-to address and cont…
持久
The skill is not always-enabled and does not attempt to modify other skills or system configuration. Autonomous invocation is allowed (normal default) but note that granting autonomous runs plus access to a private key would increase blast radius — here the metadata/declared permissions mismatch increases that concern.
安装(复制给龙虾 AI)
将下方整段复制到龙虾中文库对话中,由龙虾按 SKILL.md 完成安装。
请把本段交给龙虾中文库(龙虾 AI)执行:为本机安装 OpenClaw 技能「Esri Workflow Smell Detector (Consumer)」。简介:Paid client skill for Esri Workflow Smell Detector via x402 (Base/USDC). Use wh…。
请 fetch 以下地址读取 SKILL.md 并按文档完成安装:https://raw.githubusercontent.com/openclaw/skills/refs/heads/main/skills/danmaps/esri-smells-consumer/SKILL.md
(来源:yingzhi8.cn 技能库)SKILL.md
---
name: esri-workflow-smell-detector (consumer)
version: 1.0.0
description: |
Paid client skill for Esri Workflow Smell Detector via x402 (Base/USDC).
Use when you want to run a deterministic automation preflight scan on an ArcGIS Pro project snapshot
by calling https://api.x402layer.cc/e/esri-smells (HTTP 402 payment flow).
---
# Esri Workflow Smell Detector (Consumer Skill)
This skill helps an agent **call the paid Smell Detector** endpoint (x402 pay-per-request) using Base/USDC.
It does **not** host the service.
## How this relates to arcgispro-cli
The expected input, `project_snapshot`, is the JSON artifact produced by the open-source ArcGIS Pro CLI (`arcgispro-cli`).
Recommended workflow:
1) Use `arcgispro-cli` to export a project snapshot/context artifact (safe-by-default, no raw data)
2) Send that JSON to this paid endpoint for a deterministic preflight risk report
3) Use the report to decide whether to proceed with automation (ArcPy/GP/AGOL) and what to fix first
This keeps a clean boundary:
- Open core (`arcgispro-cli`) answers: **what is in the project**
- Paid layer (this service) answers: **how risky is it to automate, and why**
## Endpoint
- `POST https://api.x402layer.cc/e/esri-smells`
## Input
Required JSON body:
```json
{
"project_snapshot": { },
"constraints": {
"target": "arcpy" | "geoprocessing" | "agol",
"deployment": "desktop" | "server",
"max_runtime_sec": 300
}
}
```
## Output (guaranteed fields)
- `summary`
- `risk_score` (0.0–1.0)
- `issues[]`
- `flags`
- `version`
- `requestHash`
## Determinism
- Stateless
- No external network calls (beyond the paid endpoint itself)
- Same input produces same output
- Safe to cache by `requestHash`
## Pricing
- x402 pay-per-request on Base
- Target price: **$0.001** per call
## How to call (Python helper)
1) Install deps:
```bash
pip install -r {baseDir}/requirements.txt
```
2) Set wallet env (consumer wallet):
```bash
export PRIVATE_KEY="0x..."
export WALLET_ADDRESS="0x..."
```
3) Call the endpoint:
```bash
python {baseDir}/scripts/call_smells.py path/to/project_snapshot.json
```
### Notes
- The script implements the x402 HTTP 402 challenge flow and retries with `X-Payment`.
- If the endpoint is unreachable or the network rejects the payment, surface the error as-is.