Docusign
v1.0.0DocuSign e-signatures — manage envelopes, templates, recipients, and signing via REST API
⭐ 0· 307·0 current·0 all-time
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill's stated purpose (DocuSign REST API) matches the included CLI implementation, and DOCUSIGN_ACCESS_TOKEN / DOCUSIGN_ACCOUNT_ID are reasonable. However SKILL.md declares DOCUSIGN_BASE_URL as required, while the code hardcodes the demo API base (API_BASE) and never reads DOCUSIGN_BASE_URL — this is an incoherence between declared requirements and actual code.
Instruction Scope
SKILL.md describes only DocuSign operations and running scripts/docusign.py. The implementation is focused on API calls, which is expected, but the runtime code will also attempt to read a .env file from a WORKSPACE path (or ~/.openclaw/workspace/.env) if the environment variables are not set. That file-read behavior is not documented in SKILL.md and can pull secrets from a user's workspace without explicit mention.
Install Mechanism
No install spec or third-party downloads; the skill is delivered as a small Python script (stdlib-only). This is low risk from an install-provenance perspective.
Credentials
The primary credential (DOCUSIGN_ACCESS_TOKEN) and DOCUSIGN_ACCOUNT_ID are appropriate for the task. But SKILL.md lists DOCUSIGN_BASE_URL (unused by the code), which is inconsistent. The script also falls back to reading a .env file from WORKSPACE or a default workspace path to obtain missing env vars — that access to a local workspace file is not declared and could expose unrelated secrets in that .env file.
Persistence & Privilege
The skill does not request always:true, does not modify other skills or system configuration, and contains no install-time persistence steps. It runs as a one-off CLI script when invoked.
What to consider before installing
This skill appears to be a straightforward DocuSign CLI, but there are a few surprises you should consider before installing:
- Inconsistency: SKILL.md requires DOCUSIGN_BASE_URL, but the script hardcodes the demo API base and never uses that env var. Expectation and implementation don't match — confirm which base URL you should supply and why the variable is declared.
- Hidden file read: If DOCUSIGN_ACCESS_TOKEN or DOCUSIGN_ACCOUNT_ID are not set in the environment, the script will try to read them from a .env file in a workspace directory (WORKSPACE or ~/.openclaw/workspace/.env). That behavior is undocumented in the README and could expose other secrets stored in your workspace .env file.
- Arbitrary URL support: The code will accept full http(s) paths (if path starts with "http") when making requests. While necessary for flexibility, this could be misused if accidental inputs are provided — validate inputs if you plan automated use.
Recommendations:
- Inspect the script yourself or run it in an isolated environment. Ensure your .env workspace files do not contain unrelated secrets, or remove/secure them if you will run this skill.
- If you need to use a non-demo DocuSign base URL, contact the skill author or patch the script to respect DOCUSIGN_BASE_URL (or update SKILL.md to match the implementation).
- Prefer setting DOCUSIGN_ACCESS_TOKEN and DOCUSIGN_ACCOUNT_ID explicitly in the environment rather than relying on .env fallback.
Given these mismatches and the undocumented workspace .env read behavior, proceed only after you confirm the intended base URL behavior and secure any workspace .env files.Like a lobster shell, security has layers — review code before you run it.
Runtime requirements
✍️ Clawdis
EnvDOCUSIGN_ACCESS_TOKEN, DOCUSIGN_ACCOUNT_ID, DOCUSIGN_BASE_URL
Primary envDOCUSIGN_ACCESS_TOKEN
latest
✍️ DocuSign
DocuSign e-signatures — manage envelopes, templates, recipients, and signing via REST API
Requirements
| Variable | Required | Description |
|---|---|---|
DOCUSIGN_ACCESS_TOKEN | ✅ | OAuth access token |
DOCUSIGN_ACCOUNT_ID | ✅ | Account ID |
DOCUSIGN_BASE_URL | ✅ | Base URL (default: demo) |
Quick Start
# List envelopes
python3 {{baseDir}}/scripts/docusign.py envelopes --from_date <value> --status <value>
# Get envelope
python3 {{baseDir}}/scripts/docusign.py envelope-get id <value>
# Create envelope
python3 {{baseDir}}/scripts/docusign.py envelope-create --subject <value> --templateId <value> --status <value>
# Void envelope
python3 {{baseDir}}/scripts/docusign.py envelope-void id <value> --voidedReason <value>
# List recipients
python3 {{baseDir}}/scripts/docusign.py recipients id <value>
# List documents
python3 {{baseDir}}/scripts/docusign.py documents id <value>
# List templates
python3 {{baseDir}}/scripts/docusign.py templates --search_text <value>
# Get template
python3 {{baseDir}}/scripts/docusign.py template-get id <value>
All Commands
| Command | Description |
|---|---|
envelopes | List envelopes |
envelope-get | Get envelope |
envelope-create | Create envelope |
envelope-void | Void envelope |
recipients | List recipients |
documents | List documents |
templates | List templates |
template-get | Get template |
audit-events | Get audit events |
folders | List folders |
users | List users |
Output Format
All commands output JSON by default. Add --human for readable formatted output.
python3 {{baseDir}}/scripts/docusign.py <command> --human
Script Reference
| Script | Description |
|---|---|
{{baseDir}}/scripts/docusign.py | Main CLI — all commands in one tool |
Credits
Built by M. Abidi | agxntsix.ai YouTube | GitHub Part of the AgxntSix Skill Suite for OpenClaw agents.
📅 Need help setting up OpenClaw for your business? Book a free consultation
Comments
Loading comments...