ClawHub

Mova Supply Chain Risk

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed supplier-risk screening workflow that sends supplier data to MOVA and related screening services only as part of its stated purpose.

Install this only if your organization is allowed to share supplier and procurement decision data with MOVA and the listed screening services. Before using live connectors, verify the openclaw-mova plugin, connector endpoints, audit retention, and internal authorization requirements.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The skill metadata says it should trigger when the user provides a supplier list, even before the user clearly requests sanctions or due-diligence screening. That can cause unintended collection and transmission of supplier and procurement data to external services, which is especially sensitive in a compliance workflow with multiple third-party connectors. The mandatory confirmation step later reduces but does not eliminate the risk because the activation scope is still broader than necessary.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The invocation guidance activates on broad phrases like providing a supplier list or asking for a supply chain check, without requiring clear authorization or business context. In this skill, activation can lead to screening against sanctions, PEP, ESG, and registry services and creation of audit records, so an overly broad trigger increases the chance of unauthorized or premature compliance checks and unnecessary disclosure of supplier data to external systems.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal