docusign-skill

Pass

Audited by Gen Agent Trust Hub on Jul 5, 2026

Risk Level: SAFE
Full Analysis
  • [COMMAND_EXECUTION]: The skill uses the Bash tool to execute its own Python script (docusign_skill.py) for managing DocuSign envelopes and authentication.
  • [CREDENTIALS_UNSAFE]: The skill manages highly sensitive credentials including RSA private keys and API tokens. However, it follows security best practices:
  • It instructs users to store the private key at a specific path (~/.claude/skills/docusign-skill/private.key) and apply restrictive permissions (chmod 600).
  • It automatically applies 0o600 permissions to the generated credentials.json and cached token files.
  • No hardcoded credentials or secrets were found in the source code; the PROD_IDS.md file contains only public UUIDs and non-sensitive identifiers used for production configuration.
  • [EXTERNAL_DOWNLOADS]: The skill depends on standard, well-known libraries from official registries (docusign-esign, cryptography, PyJWT, requests) as listed in requirements.txt.
  • [DATA_EXFILTRATION]: Network operations are restricted to official DocuSign OAuth and API endpoints (account.docusign.com, account-d.docusign.com, and account-specific base URIs) for the intended purpose of electronic signature management.
Audit Metadata
Risk Level
SAFE
Analyzed
Jul 5, 2026, 06:05 PM
Security Audit — agent-trust-hub — docusign-skill