ClawHub

eSign Automation

v1.7.5

Automate contract signing, esign, and signature workflows by calling the eSignGlobal CLI tool. The eSignGlobal CLI is agent-friendly, with JSON output by def...

7· 371·0 current·0 all-time
by@esign-cn-open-source
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description describe eSignGlobal signing workflows and the SKILL.md only asks for the ESIGNGLOBAL_APIKEY and uses an external CLI (npx @esignglobal/envelope-cli) to perform envelope operations, file upload/download, template rendering, signature verification, etc. All required capabilities (file reads, network calls to eSignGlobal) are consistent with the stated purpose.
Instruction Scope
Instructions direct the agent to use the eSignGlobal CLI via npx, set ESIGNGLOBAL_APIKEY, and operate on local files (e.g., --file <filePath>, compare PDFs, download signed documents). This is expected for a signing automation skill, but it means the agent will access local documents and transmit them to the eSignGlobal service. The skill explicitly instructs not to persist secrets, which is good.
Install Mechanism
No install spec is bundled; the doc recommends using npx to invoke @esignglobal/envelope-cli. That is coherent with an instruction-only skill, but npx will download and execute code from the npm registry at runtime (supply-chain/remote-code execution risk). This is proportionate for a CLI-based integration but represents the primary operational risk vector.
Credentials
Only ESIGNGLOBAL_APIKEY is listed as the primary credential and the SKILL.md only references that env var for authentication. There are no unrelated credentials or config paths requested.
Persistence & Privilege
The skill does not request always:true and is user-invocable; it does not declare persistent system modifications. Autonomous invocation is allowed (platform default) but not combined with other high-privilege requests.
Assessment
This skill appears to do what it says: it calls an external eSignGlobal CLI to send, manage, and verify signed documents and only needs your ESIGNGLOBAL_APIKEY. Before installing/using it: 1) Confirm the npm package name (@esignglobal/envelope-cli) and the GitHub homepage truly belong to the vendor you trust; review the package repo and recent publish history. 2) Be aware npx fetches and runs code from npm each time — consider installing the CLI from a vetted source yourself instead of running npx on-demand to reduce supply-chain risk. 3) The agent will need access to local files to send/compare PDFs; avoid sending highly sensitive documents unless you trust the service and network path. 4) Limit the API key scope and rotate keys after granting access; never paste your key into chat. 5) If you need stronger assurance, ask the skill author for a signed release, published checksum, or to provide an install spec pointing to an official release artifact.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cf3tb11krft9w4zzysdmpys83z1wc

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Primary envESIGNGLOBAL_APIKEY

Comments