← Back to Skills Marketplace
Movi Review-First Bundle
by
Yifeng[Terry] Yu
· GitHub ↗
· v1.0.0
· MIT-0
74
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install movi-review-first-bundle
Description
Teach an agent to install Movi's local MCP server, stay review-first, and use the safest manifest and batch-analysis tools before deeper mutation.
Usage Guidance
This skill is internally coherent for installing and using a local Movi MCP review-first workflow, but it instructs you to clone and run code from the repository xiaojiou176-open/movi-organizer. Before you run any bootstrap or npm scripts: (1) inspect the repository contents and the specific scripts referenced (tooling/runtime/bootstrap_env.sh, tooling/gates/verify_repo_final.sh, run_mcp_stdio.sh, package.json scripts) to ensure they do not perform unwanted actions; (2) replace any placeholder absolute paths in the provided config snippets so they do not point to sensitive locations; (3) run the install steps in a sandboxed or least-privileged environment if possible (container/VM); (4) ensure your host has bash and Node/npm installed — add these as explicit prerequisites if you plan to rely on the skill; and (5) if you need higher assurance, request the repository owner provide a reproducible build artifact or a vetted release rather than running master branch scripts directly. Overall: coherent and plausible for its stated purpose but exercise normal caution when cloning and executing third-party repository scripts.
Capability Analysis
Type: OpenClaw Skill
Name: movi-review-first-bundle
Version: 1.0.0
The bundle instructs the agent to clone an external repository (github.com/xiaojiou176-open/movi-organizer.git) and execute unverified local scripts, specifically `tooling/runtime/bootstrap_env.sh` and `run_mcp_stdio.sh`, to set up an MCP server. While the documentation in `SKILL.md` and `references/INSTALL.md` emphasizes a 'review-first' safety workflow, the requirement to run arbitrary shell scripts and install dependencies from an external source represents a significant security risk. The lack of visibility into the external scripts' contents makes this bundle suspicious despite its stated benign purpose.
Capability Assessment
Purpose & Capability
The name/description promise (install and run a local Movi MCP server and follow a review-first workflow) matches the included content: SKILL.md, INSTALL.md, demo, configs, and a canonical_repo pointing to a GitHub repo that contains the tooling. The manifests and reference files consistently describe local-first usage and explicitly avoid claiming hosted listings.
Instruction Scope
The runtime instructions direct the operator to clone the referenced GitHub repo and run repo-provided scripts (bash tooling/runtime/bootstrap_env.sh, npm run mcp:tools, etc.). These steps are coherent with installing a local toolchain but do allow arbitrary code execution from the cloned repository; the SKILL.md itself does not attempt to read unrelated system files or exfiltrate data. It also instructs replacing placeholder absolute paths before attaching the MCP server, which is a reasonable safety step but requires operator attention.
Install Mechanism
This is an instruction-only skill (no install spec). The packet instructs the host to git-clone a public repo (canonical_repo: xiaojiou176-open/movi-organizer) and run npm/bash scripts. Downloading and running remote repository code is expected for this purpose but carries the usual risk of executing external code; the package does not itself embed binary downloads from unknown hosts or use obscure URLs.
Credentials
The skill declares no required environment variables or credentials, which aligns with its local-first claim. However, the instructions implicitly require runtime tools (bash and Node/npm) and filesystem access to check out and run the repo; these binaries are not enumerated in the metadata. No unrelated cloud credentials or secrets are requested.
Persistence & Privilege
The skill is not always:true and does not request persistent privileges. It is user-invocable and can be invoked autonomously by the agent (platform default), but nothing in the packet requests elevated system configuration changes or modifies other skills' settings.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install movi-review-first-bundle - After installation, invoke the skill by name or use
/movi-review-first-bundle - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Movi Review-First Bundle initial release:
- Guides users to install and configure the local Movi MCP server for a review-first workflow.
- Focuses on inspecting jobs and manifests before making any changes, emphasizing safe-first operations.
- Outlines integration steps with OpenHands, OpenClaw, and similar agents.
- Provides reference files for installation, configuration, capabilities, and demos.
- Enforces clear workflow boundaries: local-only, no live claims, and strict adherence to review and dry-run stages before mutations.
Metadata
Frequently Asked Questions
What is Movi Review-First Bundle?
Teach an agent to install Movi's local MCP server, stay review-first, and use the safest manifest and batch-analysis tools before deeper mutation. It is an AI Agent Skill for Claude Code / OpenClaw, with 74 downloads so far.
How do I install Movi Review-First Bundle?
Run "/install movi-review-first-bundle" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Movi Review-First Bundle free?
Yes, Movi Review-First Bundle is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Movi Review-First Bundle support?
Movi Review-First Bundle is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Movi Review-First Bundle?
It is built and maintained by Yifeng[Terry] Yu (@xiaojiou176); the current version is v1.0.0.
More Skills