Mova Bridge

Execute AI-powered business tasks with full audit trail, including AML, complaints, disputes, KYB, and loan reviews under fixed rules and cost limits.

What to check before installing / using this skill: 1) Verify the API endpoint and vendor: confirm the official MOVA service URL and that the open-source repository/publisher are legitimate (the code and docs reference multiple domains: mova.dev, mova-api.fly.dev, api.mova-lab.eu and a GitHub repo). Ask the publisher which endpoint is canonical. 2) Expect to provide an API key: this skill requires MOVA_API_KEY. The registry metadata omits that — treat that as a packaging error. Do not paste your MOVA API key into chat; prefer to set it in your agent/MCP config manually. 3) Protect other secrets: the code can read LLM_KEY and add it to headers (X-LLM-Key). Only set an LLM_KEY if you trust the MOVA service to receive it; otherwise leave it unset. Confirm whether the bridge actually needs an LLM key or if that flag is vestigial. 4) Confirm HITL behavior: the SKILL.md instructs 'mova_hitl_start' to be called immediately on invoice images (no confirmation). If you handle sensitive documents, ask the maintainer to change this to require explicit user consent before any upload or connector call. 5) Inspect or run in isolation first: because code is provided, review the full server.py for any unexpected network destinations or forwarding of data (look for any uses of headers or endpoints beyond the MOVA API). If possible, run the bridge in an isolated/test org with throwaway keys and no production data to observe behavior and billing. 6) Fix metadata mismatches: prefer a skill whose registry metadata accurately lists required env vars and the primary credential. If you cannot verify the author or endpoints, avoid enabling the skill for production/automated use. If you want, I can: (a) scan the remaining truncated portion of server.py for explicit instances where LLM_KEY is forwarded or where mova_hitl_start uploads data, (b) extract all external hostnames the code contacts, or (c) suggest a minimal safe test plan to exercise the skill with a throwaway account.

Type: OpenClaw Skill Name: mova-bridge Version: 1.0.0 The MOVA Bridge is a legitimate MCP server designed to integrate the MOVA contract execution platform with AI agents like OpenClaw. The code (server.py) acts as a thin HTTP client that delegates business tasks (AML triage, invoice processing, trade risk) to the MOVA API at api.mova-lab.eu. While the bridge handles sensitive credentials like MOVA_API_KEY and LLM_KEY, it does so transparently to facilitate the platform's stated AI-powered workflows. The SKILL.md file contains robust safety instructions for the agent, explicitly requiring user confirmation for costs and prohibiting the sharing of API keys. No evidence of malicious intent, unauthorized data exfiltration, or obfuscation was found.