eSign Automation

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed e-signature automation skill that uses an external eSignGlobal CLI and API key for expected contract workflows.

Install this only if you want an agent to operate eSignGlobal workflows. Use a scoped API key where possible, verify the exact PDF, envelope ID, recipients, and action before sending, cancelling, reminding, or changing recipients, and consider preinstalling or pinning a reviewed CLI version for sensitive contract work.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Low

Confidence: 85% confidence
Finding: The skill instructs the agent to send reminder notifications via the external e-sign service without explicitly warning that recipient names, email addresses, and envelope metadata will be transmitted to that third party. In an automation setting, this omission can lead to unintended disclosure of personal or business contact data, especially when users assume reminders are local or internal actions.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal