docusign-skill
Pass
Audited by Gen Agent Trust Hub on Jul 5, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill uses the
Bashtool to execute its own Python script (docusign_skill.py) for managing DocuSign envelopes and authentication. - [CREDENTIALS_UNSAFE]: The skill manages highly sensitive credentials including RSA private keys and API tokens. However, it follows security best practices:
- It instructs users to store the private key at a specific path (
~/.claude/skills/docusign-skill/private.key) and apply restrictive permissions (chmod 600). - It automatically applies
0o600permissions to the generatedcredentials.jsonand cached token files. - No hardcoded credentials or secrets were found in the source code; the
PROD_IDS.mdfile contains only public UUIDs and non-sensitive identifiers used for production configuration. - [EXTERNAL_DOWNLOADS]: The skill depends on standard, well-known libraries from official registries (
docusign-esign,cryptography,PyJWT,requests) as listed inrequirements.txt. - [DATA_EXFILTRATION]: Network operations are restricted to official DocuSign OAuth and API endpoints (
account.docusign.com,account-d.docusign.com, and account-specific base URIs) for the intended purpose of electronic signature management.
Audit Metadata