← Back to Skills Marketplace
Mova Bridge
by
Sergii Miasoiedov
· GitHub ↗
· v1.0.0
· MIT-0
94
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install mova-bridge
Description
Execute AI-powered business tasks with full audit trail, including AML, complaints, disputes, KYB, and loan reviews under fixed rules and cost limits.
Usage Guidance
What to check before installing / using this skill:
1) Verify the API endpoint and vendor: confirm the official MOVA service URL and that the open-source repository/publisher are legitimate (the code and docs reference multiple domains: mova.dev, mova-api.fly.dev, api.mova-lab.eu and a GitHub repo). Ask the publisher which endpoint is canonical.
2) Expect to provide an API key: this skill requires MOVA_API_KEY. The registry metadata omits that — treat that as a packaging error. Do not paste your MOVA API key into chat; prefer to set it in your agent/MCP config manually.
3) Protect other secrets: the code can read LLM_KEY and add it to headers (X-LLM-Key). Only set an LLM_KEY if you trust the MOVA service to receive it; otherwise leave it unset. Confirm whether the bridge actually needs an LLM key or if that flag is vestigial.
4) Confirm HITL behavior: the SKILL.md instructs 'mova_hitl_start' to be called immediately on invoice images (no confirmation). If you handle sensitive documents, ask the maintainer to change this to require explicit user consent before any upload or connector call.
5) Inspect or run in isolation first: because code is provided, review the full server.py for any unexpected network destinations or forwarding of data (look for any uses of headers or endpoints beyond the MOVA API). If possible, run the bridge in an isolated/test org with throwaway keys and no production data to observe behavior and billing.
6) Fix metadata mismatches: prefer a skill whose registry metadata accurately lists required env vars and the primary credential. If you cannot verify the author or endpoints, avoid enabling the skill for production/automated use.
If you want, I can: (a) scan the remaining truncated portion of server.py for explicit instances where LLM_KEY is forwarded or where mova_hitl_start uploads data, (b) extract all external hostnames the code contacts, or (c) suggest a minimal safe test plan to exercise the skill with a throwaway account.
Capability Analysis
Type: OpenClaw Skill
Name: mova-bridge
Version: 1.0.0
The MOVA Bridge is a legitimate MCP server designed to integrate the MOVA contract execution platform with AI agents like OpenClaw. The code (server.py) acts as a thin HTTP client that delegates business tasks (AML triage, invoice processing, trade risk) to the MOVA API at api.mova-lab.eu. While the bridge handles sensitive credentials like MOVA_API_KEY and LLM_KEY, it does so transparently to facilitate the platform's stated AI-powered workflows. The SKILL.md file contains robust safety instructions for the agent, explicitly requiring user confirmation for costs and prohibiting the sharing of API keys. No evidence of malicious intent, unauthorized data exfiltration, or obfuscation was found.
Capability Assessment
Purpose & Capability
The skill's stated purpose (MOVA contract execution) requires a MOVA API key and references connectors/LLM steps, but the registry metadata lists no required environment variables or primary credential. The code and SKILL.md both expect MOVA_API_KEY and also reference LLM_KEY / OCR_LLM_MODEL, which are not declared in the skill metadata. Multiple different MOVA endpoints appear in docs/code (mova.dev / mova-api.fly.dev / api.mova-lab.eu), which is inconsistent and should be verified.
Instruction Scope
SKILL.md instructs the agent to call the MOVA API tools for discovery, pricing, execution, and audit retrieval — this is coherent. However two areas are concerning: (1) the HITL invoice flow explicitly tells the agent to call mova_hitl_start 'immediately, no confirmation needed' when a user sends an invoice image, which would transmit potentially sensitive images to the external MOVA service without an explicit price/confirmation step; (2) the registration flow returns an api_key that the agent is instructed to display and ask the user to save and add to their MCP config — that relies on the agent not to leak the key elsewhere (SKILL.md says 'Never share the API key', but the tool returns it, so care is needed).
Install Mechanism
There is no install spec in the registry (instruction-only), but the package includes Python code and a pyproject declaring normal dependencies (mcp[cli], httpx). That is a typical packaging approach; the absence of an install procedure in the registry metadata is an inconsistency but not inherently dangerous. No downloads from arbitrary URLs or archives were observed in the metadata.
Credentials
The code expects MOVA_API_KEY (required) and optionally LLM_KEY and model environment variables. The registry incorrectly lists no required env vars. Of particular note: the code is prepared to include an 'X-LLM-Key' header when LLM_KEY is set (used for 'AI steps' per comments). If present, the agent may forward your LLM provider key to the MOVA service (potential secret exfiltration) unless you verify where and how it's used. Requiring an API key for the target service is reasonable, but the metadata should declare it explicitly and justify additional keys.
Persistence & Privilege
The skill is not marked 'always' and does not request elevated platform privileges. It does not appear to modify other skills or system-wide settings. It runs as a thin MCP server when launched, which is expected for this bridge functionality.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install mova-bridge - After installation, invoke the skill by name or use
/mova-bridge - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
MOVA Bridge v1.0.0 — Initial Release
- Introduces support for MOVA, a contract execution platform for auditable, AI-powered business tasks.
- Provides detailed setup instructions, including first-time registration and API key management.
- Outlines step-by-step task execution flow: setup check, discovering tasks, showing price, collecting inputs, execution, and results delivery.
- Documents available tools for business tasks and specialized human-in-the-loop invoice processing.
- Establishes strict compliance and user interaction rules, including mandatory price confirmation and proper error handling.
- Features user-friendly guidance, error messages, and language/tone recommendations for regulatory/compliance use cases.
Metadata
Frequently Asked Questions
What is Mova Bridge?
Execute AI-powered business tasks with full audit trail, including AML, complaints, disputes, KYB, and loan reviews under fixed rules and cost limits. It is an AI Agent Skill for Claude Code / OpenClaw, with 94 downloads so far.
How do I install Mova Bridge?
Run "/install mova-bridge" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Mova Bridge free?
Yes, Mova Bridge is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Mova Bridge support?
Mova Bridge is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Mova Bridge?
It is built and maintained by Sergii Miasoiedov (@mova-compact); the current version is v1.0.0.
More Skills