ClawHub

Mova Po Approval

v1.0.1

Submit a purchase order for automated risk analysis and procurement approval via MOVA HITL. Trigger when the user mentions a PO number, asks to approve/revie...

0· 141·1 current·1 all-time
bySergii Miasoiedov@mova-compact
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description ask for automated risk analysis + human-in-the-loop approval via MOVA. The SKILL.md consistently instructs the agent to use MOVA plugin tools (mova_hitl_start_po, mova_hitl_decide, mova_hitl_audit) and documents data flows to api.mova-lab.eu and server-side ERP connectors. Requiring the MOVA plugin is coherent with the stated purpose.
Instruction Scope
Instructions are narrowly scoped: call plugin tools, show results, and never make manual HTTP or shell calls. The doc explicitly forbids inventing results and demands surfacing errors. Minor documentation artifacts exist (references to local screenshots/paths and a raw GitHub image URL), but these are presentation/demo items and do not expand runtime privileges.
Install Mechanism
This is an instruction-only skill with no install spec or bundled code. Metadata references an install command for the openclaw-mova plugin (openclaw plugins install openclaw-mova); the skill itself does not download arbitrary artifacts. No archive downloads or non-standard install mechanisms are present in the skill content.
Credentials
The skill declares no required environment variables or credentials, which is reasonable because MOVA runtime fetches ERP data server-side. However, the skill allows registering real ERP connectors via mova_register_connector with an endpoint and optional auth_header/auth_value — that action will involve supplying credentials or secrets at runtime. Those secrets are not declared as required env vars here (they are optional inputs to a connector call), so users should be aware they'll need to provide ERP credentials when connecting live systems.
Persistence & Privilege
always is false and the skill does not request persistent system-wide privileges. The workflow stores audit records on MOVA/R2 (as claimed) but the skill does not modify other skills or agent configs. Autonomous invocation is allowed (platform default) and is not itself a concern here.
Assessment
This skill appears to do what it says: it requires the MOVA plugin and will send PO ID, approver ID, analysis results and decisions to the MOVA service. Before installing/using: 1) Verify and review the openclaw-mova plugin source (installCmd is present in metadata). 2) Understand and accept that PO metadata and human decisions are sent to api.mova-lab.eu and stored in MOVA/R2 audit storage. 3) If you connect a live ERP, be prepared to supply connector endpoints and auth credentials — treat those secrets carefully and only register trusted connectors. 4) Confirm data residency/compliance needs (EU-hosting is claimed). 5) If you need tighter assurance, ask for the plugin's code or a privacy/dataflow spec to confirm what exact fields are transmitted and persisted.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bxxhf5cxshyevf0jhg848c1843tyt

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments