OpenClaw Agreement Sender
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: openclaw-docusign-agreements Version: 0.1.0 The skill bundle is benign. The `scripts/send_agreement.py` script performs its stated function of detecting signature blocks and creating DocuSign envelopes by interacting with NanoPDF and DocuSign APIs. It reads specified local files (PDF, signers JSON), accesses API keys and endpoints from environment variables, makes HTTP requests, and writes audit files to a designated output directory. All actions are clearly aligned with the skill's purpose, and there is no evidence of intentional harmful behavior, such as unauthorized data exfiltration, persistence mechanisms, or prompt injection attempts in `SKILL.md`.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A client agreement could be sent with incorrectly assigned signature tabs if NanoPDF output lacks clear signer keys or if the user expected to review a draft first.
The script defaults to sending the DocuSign envelope and automatically assigns unmatched signature blocks by signer order before posting to DocuSign, without an explicit pre-send confirmation step in the code.
p.add_argument("--status", default="sent", choices=["sent", "created"], help="Envelope status") ... for block in unassigned: signer = signers[signer_idx % len(signers)] ... envelope_result = http_json(... method="POST", payload=docusign_payload ...)Run with `--status created` by default, review the generated payload and tab placement, and require explicit user approval before sending live envelopes, especially for multi-signer or high-value agreements.
Anyone running the script with these environment variables can use the configured DocuSign account to create or send envelopes.
The skill requires provider credentials that can access NanoPDF and create DocuSign envelopes. This is expected for the integration, but users should understand the account authority being delegated.
Set required variables: ... `NANOPDF_API_KEY` ... `DOCUSIGN_ACCOUNT_ID` ... `DOCUSIGN_ACCESS_TOKEN`
Use least-privileged, short-lived credentials where possible, keep tokens only in environment variables, and avoid running the skill in shared or untrusted environments.
Confidential contract contents and signer names/emails may remain on disk in the output directory after the envelope is created.
The saved DocuSign payload includes signer information and `documentBase64`, meaning the local audit file contains the agreement contents in encoded form.
(out_dir / "docusign_payload.json").write_text(json.dumps(docusign_payload, indent=2), encoding="utf-8")
Store the output directory in a secure location, restrict access, and delete or redact audit files when they are no longer needed.