📦 Mova Supply Chain Risk — Mova 供应链风险 - 供应商风险评估与合规
v1.0.1利用 MOVA HITL 对供应商进行制裁名单、PEP 注册表、ESG 评级和财务稳定性数据的筛查,通过人工采购决策门户路由发现。确保供应链合规性和风险管理。
0· 118·0 当前·0 累计
by 安全扫描
OpenClaw
安全
medium confidence该技能的声明目的(通过 MOVA HITL 筛选供应商并将结果路由到人工采购门户)与其指令和数据流一致,但依赖外部 MOVA 插件/API(不在此捆绑)。在使用真实数据前,请验证插件源、所需凭据和法律/隐私姿态。
评估建议
该技能对于供应商筛选看似合理:它将发送供应商名称/ID/国家和采购元数据到 MOVA 服务和制裁/ESG/注册连接器,并强制执行人工决策门户。安装或使用前:(1)验证 openclaw-mova 插件的来源仅从可信源安装;(2)询问插件所有者所需 API 密钥/凭据的存储方式;(3)确认您是否有权(法律和合同上)向列出的外部端点传输供应商数据以及是否适用数据驻留/GDPR 规则;(4)先使用非敏感或合成数据测试;(5)请求插件的隐私/安全文档。如果提供 openclaw-mova 插件清单或链接,我可以重新评估任何缺失的权限或不匹配。...详细分析 ▾
✓ 用途与能力
The name and description (supplier screening, sanctions/PEP/ESG/financial checks with human gate) align with the instructions: submit supplier batches to MOVA, show risk bands, and require human sign-off. The external services referenced (MOVA API, sanctions/ESG/registry connectors) are appropriate for the stated purpose.
ℹ 指令范围
Instructions are focused on screening and a mandatory human decision gate. They explicitly send supplier names/IDs/countries and procurement metadata to api.mova-lab.eu and to screening connectors — which is expected — but the SKILL.md does not list the actual credentials/authorization steps the plugin needs, nor does it include the plugin code. Also the README references screenshot files that are not present in the package (cosmetic).
✓ 安装机制
This is an instruction-only skill (no install spec, no code), which is low-risk from an install perspective. It requires the 'openclaw-mova' plugin to be installed via OpenClaw; the SKILL.md suggests 'openclaw plugins install openclaw-mova'. The plugin itself is external to this skill and is the component that will perform network calls — verify the plugin source before installing.
ℹ 凭证需求
The skill declares no required environment variables or credentials in its metadata, but it transmits potentially sensitive supplier data to external services. In practice the MOVA plugin (not included) will likely require API keys or tokens; the absence of declared required credentials here means you should confirm what secrets the plugin needs and how they are stored/limited. Ensure you have legal authority to send supplier data to the listed endpoints.
✓ 持久化与权限
The skill does not request persistent or elevated privileges (always:false). It documents that audit receipts are stored in MOVA R2 storage (external) and claims no local storage. There is no instruction to modify other skills or system-wide settings.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.12026/3/26
添加了合同技能类型标签。
● 无害
安装命令
点击复制官方npx clawhub@latest install mova-supply-chain-risk
镜像加速npx clawhub@latest install mova-supply-chain-risk --registry https://cn.longxiaskill.com
技能文档
合同技能 — 一套可直接使用的 MOVA HITL 工作流。需要 openclaw-mova 插件。# MOVA 供应链风险分析
屏蔽您的供应商列表对制裁注册表、PEP 数据库、ESG 评级和财务稳定性指标 — 每个供应商的风险等级、来源引用和强制人工采购决策门户,后者由防篡改的审计跟踪支持。...
(**注意:由于字符限制,完整的 cn_skill_md_content 未全文提供,建议在实际使用中保留完整的 Markdown 内容)