Mova Aml Triage
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is coherent for AML triage, but it sends sensitive customer and transaction data to external MOVA-related services and includes high-impact escalation decisions that should be used only by authorized compliance staff.
Before installing, verify the openclaw-mova plugin and MOVA service terms, confirm that your organization allows customer and transaction data to be sent to the listed services, and restrict use of escalation or account-freeze decisions to authorized compliance analysts.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or unauthorized decision could cause unnecessary escalation or account freezing.
The workflow includes a tool-mediated decision that may trigger a severe account-impacting outcome. The artifact also says the human analyst chooses the decision, so this is disclosed and purpose-aligned, but high impact.
Call tool `mova_hitl_decide` ... option: chosen decision ... `immediate_escalate` — Immediate escalation — freeze account
Use this only in an authorized compliance workspace, require an explicit human confirmation for freeze-account decisions, and verify the MOVA plugin’s permission and rollback controls.
Customer identities, transaction details, and risk information may leave the local workspace and be processed by MOVA and related connectors.
The skill discloses that sensitive AML, customer, and transaction data is sent to external provider/connectors. This is expected for the AML triage purpose, but users should treat it as sensitive data sharing.
Alert data + customer ID + transactions → `api.mova-lab.eu`; Customer data → sanctions screening; Customer ID → risk rating and prior alert history
Confirm that this sharing is permitted by your organization, data-processing agreements, jurisdictional requirements, and customer privacy obligations.
Compliance decisions and related metadata may become durable records that are difficult to alter or remove.
The skill creates persistent audit records outside the local session. This is appropriate for compliance auditability, but it means submitted data and decisions may be retained.
Audit journal → MOVA R2 storage, cryptographically signed ... Permanent signed record of the compliance decision
Review MOVA’s retention, access control, correction, and deletion policies before using real customer data.
Installing the required plugin may grant additional capabilities that were not visible in this artifact-only review.
The reviewed artifact is instruction-only, and the actual MOVA plugin code is not part of the provided scan context. The dependency is disclosed and purpose-aligned, but its provenance and implementation need separate review.
Requires the `openclaw-mova` plugin ... `installCmd":"openclaw plugins install openclaw-mova"`
Review the openclaw-mova plugin source, version, permissions, and publisher before installing it in a production compliance environment.