Mova Supply Chain Risk
v1.0.1Screen suppliers against sanctions lists, PEP registries, ESG ratings, and financial stability data via MOVA HITL, then route findings through a human procur...
⭐ 0· 103·0 current·0 all-time
bySergii Miasoiedov@mova-compact
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The name and description (supplier screening, sanctions/PEP/ESG/financial checks with human gate) align with the instructions: submit supplier batches to MOVA, show risk bands, and require human sign-off. The external services referenced (MOVA API, sanctions/ESG/registry connectors) are appropriate for the stated purpose.
Instruction Scope
Instructions are focused on screening and a mandatory human decision gate. They explicitly send supplier names/IDs/countries and procurement metadata to api.mova-lab.eu and to screening connectors — which is expected — but the SKILL.md does not list the actual credentials/authorization steps the plugin needs, nor does it include the plugin code. Also the README references screenshot files that are not present in the package (cosmetic).
Install Mechanism
This is an instruction-only skill (no install spec, no code), which is low-risk from an install perspective. It requires the 'openclaw-mova' plugin to be installed via OpenClaw; the SKILL.md suggests 'openclaw plugins install openclaw-mova'. The plugin itself is external to this skill and is the component that will perform network calls — verify the plugin source before installing.
Credentials
The skill declares no required environment variables or credentials in its metadata, but it transmits potentially sensitive supplier data to external services. In practice the MOVA plugin (not included) will likely require API keys or tokens; the absence of declared required credentials here means you should confirm what secrets the plugin needs and how they are stored/limited. Ensure you have legal authority to send supplier data to the listed endpoints.
Persistence & Privilege
The skill does not request persistent or elevated privileges (always:false). It documents that audit receipts are stored in MOVA R2 storage (external) and claims no local storage. There is no instruction to modify other skills or system-wide settings.
Assessment
This skill appears coherent for supplier screening: it will send supplier names/IDs/countries and procurement metadata to the MOVA service and to sanctions/ESG/registry connectors and enforces a human decision gate. Before installing or using it: (1) verify the provenance of the openclaw-mova plugin and only install it from a trusted source; (2) ask the plugin owner what API keys or credentials are required and how they are stored; (3) confirm you are allowed (legally and contractually) to transmit supplier data to the listed external endpoints and whether data residency/GDPR rules apply; (4) test with non-sensitive or synthetic data first; and (5) request the plugin's privacy/security documentation (where data is stored, retention, auditability, and who can access the audit journal). If you want, provide the openclaw-mova plugin manifest or link and I can re-evaluate for any missing permissions or mismatches.Like a lobster shell, security has layers — review code before you run it.
latestvk97dt3m5gkntw4hew6ajkac5a5842s5m
License
MIT-0
Free to use, modify, and redistribute. No attribution required.