Mova Crypto Review
v1.0.1Submit a crypto trade order for automated risk analysis and human-in-the-loop review via MOVA. Trigger when the user mentions a trade order, wallet address,...
⭐ 0· 143·1 current·1 all-time
bySergii Miasoiedov@mova-compact
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The SKILL.md describes a MOVA HITL trade-review flow and all runtime actions consist of calling MOVA-specific tools (mova_hitl_start_trade, mova_hitl_decide, mova_hitl_audit, connector management). Requiring the openclaw-mova plugin is coherent with the stated purpose.
Instruction Scope
Instructions stay within the stated workflow: collect trade details, call MOVA tools, show analysis and decision options, and read signed audit receipts. They do not instruct reading local files or arbitrary env vars. However the skill permits registering connectors with arbitrary endpoints and auth headers (mova_register_connector), which — if misused or if the underlying plugin is malicious — could be used to connect to internal services or exfiltrate data. The SKILL.md is also truncated near the end, which reduces clarity.
Install Mechanism
Instruction-only skill with no install spec and no code files — nothing is written to disk by the skill itself. The actual runtime capability depends on the external openclaw-mova plugin (not included here).
Credentials
This skill declares no required environment variables or credentials, which is appropriate for an instruction-only wrapper. But it documents flows that will send sensitive trade and wallet data to api.mova-lab.eu and allows registering connectors that require endpoint URLs and auth headers. You should expect the MOVA plugin to require credentials; those are not declared here and should be inspected when installing the plugin.
Persistence & Privilege
always is false and the skill is user-invocable, which is appropriate. The plugin-side connectors and audit journal imply persistent state (connectors, stored audit receipts) managed by MOVA; verify how the plugin stores connector credentials and whether it persists any secrets. Autonomous invocation is allowed by default — combine that with connector registration only if you trust the plugin.
Assessment
This skill appears to be a legitimate MOVA HITL workflow, but you must verify the MOVA plugin and operator before use. Before installing or enabling the skill: 1) Confirm the openclaw-mova plugin source and inspect its code/permissions (the skill itself is instruction-only and does not include the plugin). 2) Test in sandbox mode — do not register production connectors or provide production credentials until satisfied. 3) When registering connectors, only point to trusted endpoints and avoid giving long-lived secrets; prefer scoped/short-lived credentials. 4) Verify the MOVA service domain (api.mova-lab.eu) and review its privacy/audit/storage policies. 5) If you require stronger assurance, ask the plugin author for provenance (homepage, repository, maintainer identity) and an auditable changelog; absence of that information lowers trust.Like a lobster shell, security has layers — review code before you run it.
latestvk97btx8pypzz22mj1djveqb7wh843mc6
License
MIT-0
Free to use, modify, and redistribute. No attribution required.