Mova Supply Chain Risk — Mova 供应链风险 - 供应商风险评估与合规

Name: Mova Supply Chain Risk — Mova 供应链风险 - 供应商风险评估与合规
Author: Sergii Miasoiedov

Sergii Miasoiedov

Mova Supply Chain Risk — Mova 供应链风险 - 供应商风险评估与合规

v1.0.1

利用 MOVA HITL 对供应商进行制裁名单、PEP 注册表、ESG 评级和财务稳定性数据的筛查，通过人工采购决策门户路由发现。确保供应链合规性和风险管理。

0· 118·0 当前·0 累计

by @mova-compact (Sergii Miasoiedov)·MIT-0

项目管理安全 API工具

下载技能包

License

MIT-0

最后更新

2026/4/2

安全扫描

VirusTotal

无害

查看报告

OpenClaw

安全

medium confidence

该技能的声明目的（通过 MOVA HITL 筛选供应商并将结果路由到人工采购门户）与其指令和数据流一致，但依赖外部 MOVA 插件/API（不在此捆绑）。在使用真实数据前，请验证插件源、所需凭据和法律/隐私姿态。

评估建议

该技能对于供应商筛选看似合理：它将发送供应商名称/ID/国家和采购元数据到 MOVA 服务和制裁/ESG/注册连接器，并强制执行人工决策门户。安装或使用前：（1）验证 openclaw-mova 插件的来源仅从可信源安装；（2）询问插件所有者所需 API 密钥/凭据的存储方式；（3）确认您是否有权（法律和合同上）向列出的外部端点传输供应商数据以及是否适用数据驻留/GDPR 规则；（4）先使用非敏感或合成数据测试；（5）请求插件的隐私/安全文档。如果提供 openclaw-mova 插件清单或链接，我可以重新评估任何缺失的权限或不匹配。...

详细分析 ▾

✓ 用途与能力

The name and description (supplier screening, sanctions/PEP/ESG/financial checks with human gate) align with the instructions: submit supplier batches to MOVA, show risk bands, and require human sign-off. The external services referenced (MOVA API, sanctions/ESG/registry connectors) are appropriate for the stated purpose.

ℹ 指令范围

Instructions are focused on screening and a mandatory human decision gate. They explicitly send supplier names/IDs/countries and procurement metadata to api.mova-lab.eu and to screening connectors — which is expected — but the SKILL.md does not list the actual credentials/authorization steps the plugin needs, nor does it include the plugin code. Also the README references screenshot files that are not present in the package (cosmetic).

✓ 安装机制

This is an instruction-only skill (no install spec, no code), which is low-risk from an install perspective. It requires the 'openclaw-mova' plugin to be installed via OpenClaw; the SKILL.md suggests 'openclaw plugins install openclaw-mova'. The plugin itself is external to this skill and is the component that will perform network calls — verify the plugin source before installing.

ℹ 凭证需求

The skill declares no required environment variables or credentials in its metadata, but it transmits potentially sensitive supplier data to external services. In practice the MOVA plugin (not included) will likely require API keys or tokens; the absence of declared required credentials here means you should confirm what secrets the plugin needs and how they are stored/limited. Ensure you have legal authority to send supplier data to the listed endpoints.

✓ 持久化与权限

The skill does not request persistent or elevated privileges (always:false). It documents that audit receipts are stored in MOVA R2 storage (external) and claims no local storage. There is no instruction to modify other skills or system-wide settings.

安全有层次，运行前请审查代码。

License

MIT-0

可自由使用、修改和再分发，无需署名。

查看条款 ↗

运行时依赖

无特殊依赖

版本

latestv1.0.12026/3/26

添加了合同技能类型标签。

● 无害

安装命令点击复制

官方npx clawhub@latest install mova-supply-chain-risk

镜像加速npx clawhub@latest install mova-supply-chain-risk --registry https://cn.clawhub-mirror.com

技能文档

合同技能 — 一套可直接使用的 MOVA HITL 工作流。需要 openclaw-mova 插件。# MOVA 供应链风险分析

屏蔽您的供应商列表对制裁注册表、PEP 数据库、ESG 评级和财务稳定性指标 — 每个供应商的风险等级、来源引用和强制人工采购决策门户，后者由防篡改的审计跟踪支持。... （**注意：由于字符限制，完整的 cn_skill_md_content 未全文提供，建议在实际使用中保留完整的 Markdown 内容）

Contract Skill — A ready-to-use MOVA HITL workflow. Requires the openclaw-mova plugin.

# MOVA Supply Chain Risk Analysis

Screen your supplier list against sanctions registries, PEP databases, ESG ratings, and financial stability indicators — with a per-supplier risk band, source citations, and a mandatory human procurement decision gate backed by a tamper-proof audit trail.

What it does

Supplier ingestion — accepts a list of supplier names, IDs, countries, and procurement category
Multi-source screening — OFAC / EU / UN sanctions, PEP registries, ESG ratings, adverse media, financial stability
Risk report — per-supplier risk band (low / medium / high / critical) with source citations and finding details
Human gate — procurement manager reviews findings and chooses: approve all / approve clean only / reject all / escalate
Audit receipt — all data sources, query timestamps, screening results, and the human decision are logged for supply chain transparency audits

Mandatory escalation rules enforced by policy:

Sanctions hit on any supplier → immediate escalation, cannot approve batch
Critical risk band (≥ 2 suppliers) → mandatory escalation to compliance team
PEP flag with procurement value above threshold → escalate required

Requirements

Plugin: MOVA OpenClaw plugin must be installed in your OpenClaw workspace.

Data flows:

Supplier data + procurement category → api.mova-lab.eu (MOVA platform, EU-hosted)
Supplier names/countries → sanctions & PEP screening (OFAC, EU, UN — read-only)
Supplier IDs → ESG ratings and adverse media lookup (read-only)
Supplier name/country → company registry and financial stability check (read-only)
Audit journal → MOVA R2 storage, signed
No data stored locally or sent to third parties beyond the above

Demo

Step 1 — Supplier batch submitted with screening request !Step 1

Step 2 — AI screening: sanctions hit on SUP-002, ESG risk on SUP-003, mandatory escalation triggered !Step 2

Step 3 — Audit receipt + signed decision log !Step 3

Quick start

Say "screen these suppliers for procurement" and provide:

suppliers:
  - id: SUP-001, name: Acme GmbH, country: DE
  - id: SUP-002, name: Delta LLC, country: US
category: raw_materials
requestor_id: EMP-2201

The agent submits the batch, shows the per-supplier risk report with sanctions and ESG findings, then asks for your procurement decision.

Why contract execution matters

Sanctions rules are policy, not prompts — any sanctions hit triggers mandatory escalation that cannot be bypassed
Multi-source traceability — every finding is tagged with its source (OFAC / EU / UN / ESG / registry)
Immutable audit trail — when a compliance officer or regulator asks "who cleared supplier SUP-002 and why?" — the answer is in the system
EU Supply Chain Due Diligence / OFAC ready — procurement decisions require documented screening history, source citations, and human sign-off

What the user receives

Output	Description
Suppliers screened	Total count in batch
Critical / high / medium / low	Count per risk band
Per-supplier risk band	low / medium / high / critical
Sanctions result	OFAC / EU / UN hit or clear with match details
PEP flag	PEP status and category
ESG score	Rating and adverse media flags
Financial stability	Registration status, insolvency signals
Findings	Per-supplier structured list with source and severity
Recommended action	AI-suggested decision
Decision options	approve_all / approve_clean / reject_all / escalate
Audit receipt ID	Permanent signed record of the procurement decision
Compact journal	Full event log: screening → risk report → human decision

When to trigger

Activate when the user:

Provides a supplier list (names, IDs, or CSV)
Says "screen these vendors", "run supply chain check", "due diligence on supplier"
Asks to prepare a procurement risk report before signing contracts

Before starting, confirm: "Screen [COUNT] suppliers for MOVA supply chain risk analysis?"

If supplier data is missing — ask once for: supplier names/IDs, country of registration, procurement category.

Step 1 — Submit supplier list for screening

Call tool mova_hitl_start_supply_chain with:

suppliers: array of objects with id, name, country (ISO 3166-1 alpha-2)
category: raw_materials / logistics / technology / services
requestor_id: employee ID of the procurement requestor

Step 2 — Show risk report and decision options

If status = "waiting_human" — show the screening summary:

Suppliers screened: COUNT
Critical:           CRITICAL_COUNT
High risk:          HIGH_COUNT
Clean:              CLEAN_COUNT[Per-supplier table: ID | Name | Country | Risk band | Top finding]
Recommended action: ACTION ← RECOMMENDED

Option	Description
`approve_all`	Approve all screened suppliers
`approve_clean`	Approve only clean suppliers, block high-risk
`reject_all`	Block entire batch pending further review
`escalate`	Escalate to compliance team

Call tool mova_hitl_decide with:

contract_id: from the response above — this is ctr-scr-xxxxxxxx, NOT a supplier ID
option: chosen decision
reason: procurement manager reasoning (required for reject_all and escalate)

Step 3 — Show audit receipt

Call tool mova_hitl_audit with contract_id. Call tool mova_hitl_audit_compact with contract_id for the full signed screening chain.

Connect your real screening systems

By default MOVA uses a sandbox mock. To route checks against your live infrastructure, call mova_list_connectors with keyword: "supply".

Relevant connectors:

Connector ID	What it covers
`connector.screening.pep_sanctions_v1`	PEP & sanctions screening (OFAC, EU, UN)
`connector.esg.ratings_v1`	ESG ratings and adverse media
`connector.data.company_registry_v1`	Company registration status
`connector.data.company_enrichment_v1`	Financial stability and enrichment data

Call mova_register_connector with connector_id, endpoint, optional auth_header and auth_value.

Rules

NEVER make HTTP requests manually
NEVER invent or simulate screening results — if a tool call fails, show the exact error
Use MOVA plugin tools directly — do NOT use exec or shell
CONTRACT_ID is ctr-scr-xxxxxxxx from the mova_hitl_start_supply_chain response — NOT a supplier ID

数据来源：ClawHub ↗ · 中文优化：龙虾技能库

OpenClaw 技能定制 / 插件定制 / 私有工作流定制

免费技能或插件可能存在安全风险，如需更匹配、更安全的方案，建议联系付费定制

了解定制服务

License

运行时依赖

版本

安装命令 点击复制

技能文档

What it does

Requirements

Demo

Quick start

Why contract execution matters

What the user receives

When to trigger

Step 1 — Submit supplier list for screening

Step 2 — Show risk report and decision options

Step 3 — Show audit receipt

Connect your real screening systems

Rules

安装命令点击复制