Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Mova Connector Setup
v1.0.2Help the user connect their real business systems (ERP, CRM, AML, market data, etc.) to MOVA by registering custom connector endpoints. Trigger when the user...
⭐ 0· 99·1 current·1 all-time
bySergii Miasoiedov@mova-compact
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md expects the mova-bridge CLI and the openclaw-mova plugin (metadata even includes an installCmd), but the registry metadata lists no required binaries or explicit plugin requirement. That mismatch (skill runtime depends on mova-bridge/openclaw-mova but doesn't declare them) is an incoherence users should verify.
Instruction Scope
Instructions stay within the stated purpose (listing connectors, registering/removing overrides). They explicitly require asking the user for endpoint URL and auth values and then running mova-bridge commands. The SKILL.md forbids manual HTTP calls and instructs not to persist auth values, which is appropriate, but it does not describe how mova-bridge transmits or stores those credentials beyond the brief metadata note.
Install Mechanism
This is an instruction-only skill with no install spec or code to write to disk (low-install risk). However, the SKILL.md references installing/openclaw-mova via an installCmd in its embedded metadata — that install dependency is not surfaced in the registry requirements.
Credentials
The skill does not request environment variables, but it asks the user to provide auth header/value which the metadata acknowledges will be sent to an external service (api.mova-lab.eu). Transmitting user-supplied credentials to a third-party service is sensitive; the skill does not declare the primary credential nor explain retention or scope of those auth values beyond a one-line statement.
Persistence & Privilege
always is false and the skill is user-invocable; it does not request persistent privileges or system-wide config modifications. No evidence it modifies other skills or system settings.
What to consider before installing
This skill appears to do what it says (register HTTPS endpoints for MOVA connectors) but take these precautions before installing or using it:
- Verify the mova-bridge CLI is present and comes from a trusted source. The SKILL.md calls mova-bridge but the registry did not list required binaries.
- Confirm the openclaw-mova plugin is required and inspect that plugin (the SKILL.md metadata references an installCmd). Ask the publisher for the plugin source or homepage if missing.
- Understand that you will be asked to provide endpoint URL and auth header/value; these credentials will be transmitted to api.mova-lab.eu to register the override. Only provide short-lived or least-privilege credentials and only if you trust that service/organization.
- Ensure the endpoint is HTTPS and that you are comfortable MOVA will call it (and understand how MOVA handles/retains responses).
- Ask the publisher for provenance (author identity, homepage, repo) and for an explicit statement of how the auth value is stored or rotated by MOVA. If you cannot verify the plugin/CLI sources and the external API ownership, do not supply production credentials.
If you want, I can draft specific questions to ask the skill author or a checklist to validate mova-bridge/openclaw-mova before use.Like a lobster shell, security has layers — review code before you run it.
latestvk97ct7rkb82yny8t0n39vyy1yx842vwy
License
MIT-0
Free to use, modify, and redistribute. No attribution required.