Esri Workflow Smell Detector (Consumer)
v1.0.0Paid client skill for Esri Workflow Smell Detector via x402 (Base/USDC). Use when you want to run a deterministic automation preflight scan on an ArcGIS Pro project snapshot by calling https://api.x402layer.cc/e/esri-smells (HTTP 402 payment flow).
⭐ 1· 1.5k·0 current·0 all-time
by@danmaps
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description, SKILL.md, and included Python client all align: they call https://api.x402layer.cc/e/esri-smells using an x402 HTTP 402 pay-per-request flow on Base/USDC. However the registry metadata lists no required environment variables or primary credential even though both SKILL.md and scripts/call_smells.py require PRIVATE_KEY and WALLET_ADDRESS. That metadata omission is an inconsistency that should have been declared.
Instruction Scope
Runtime instructions are narrowly scoped: install two Python deps, set PRIVATE_KEY and WALLET_ADDRESS env vars, and run the script with a project snapshot JSON. The script reads only the provided snapshot file and contacts the declared endpoint. It does not try to read other system paths or unrelated environment variables.
Install Mechanism
No install spec; included files are a small Python script and requirements.txt referencing well-known packages (requests, eth-account). No remote downloads or extract-from-URL steps are present.
Credentials
The script requires a sensitive EVM private key (PRIVATE_KEY) and WALLET_ADDRESS to sign a TransferWithAuthorization for USDC — this is proportionate to a client performing an on-chain/off-chain payment authorization, but it is high-risk. The skill metadata failing to declare these required secrets is a red flag. Users should not store primary funds in a key provided to third-party code and should validate the recipient/pay-to address and contract behavior before authorizing.
Persistence & Privilege
The skill is not always-enabled and does not attempt to modify other skills or system configuration. Autonomous invocation is allowed (normal default) but note that granting autonomous runs plus access to a private key would increase blast radius — here the metadata/declared permissions mismatch increases that concern.
What to consider before installing
This client appears to be a legitimate payment-enabled caller for a paid Esri smell-detection endpoint, but there are important cautions: (1) The script requires your EVM private key (PRIVATE_KEY) and wallet address, yet the registry metadata fails to declare these credentials — treat that omission as suspicious. Supplying a private key to third-party code can expose funds: prefer using an ephemeral wallet with only a small balance, or sign transactions locally with a hardware wallet or separate signing step instead of exporting the raw private key as an env var. (2) Verify the endpoint domain and the pay-to address returned in the 402 challenge before making payments; confirm the USDC contract address and the intended recipient. (3) Inspect or run the script in an isolated environment and test with a minimal value first. (4) Ask the publisher to correct the registry metadata to list required env vars and to provide a homepage or publisher identity and an auditable payment flow description. If you cannot confirm the service and recipient, do not provide your primary private key or funds.Like a lobster shell, security has layers — review code before you run it.
latestvk97fqq7ccv36r0qry074knbnkd80fg3h
License
MIT-0
Free to use, modify, and redistribute. No attribution required.