dropbox-sign

SUSPICIOUS: the skill’s capabilities match its stated Dropbox Sign purpose, and the CLI install path appears same-vendor via npm, so this is not overtly malicious. However, it relies on a third-party Membrane CLI/service as the credential and API intermediary, uses an unpinned global install, and enables consequential external actions on signature workflows; this makes the trust and data-flow footprint broader than a direct Dropbox Sign integration.