esign-contract

What to consider before installing or running this skill: - Credentials: The code requires both ESIGN_APP_ID and ESIGN_APP_SECRET (and may use ESIGN_BASE_URL), but the registry only lists ESIGN_APP_ID. Do not paste secrets into chat unless you trust the skill and agent environment. Prefer to manually create ~/.config/esign-contract/.env and populate ESIGN_APP_ID and ESIGN_APP_SECRET yourself. - Files written to your system: The skill creates ~/.config/esign-contract/, token_cache.json, may store fonts there, and creates a Python venv under scripts/.venv and installs packages. Expect native system libraries to be required for weasyprint (Pango/Cairo). - Project config modification: The signing guide includes an instruction to auto-edit ~/.claude/projects/.../settings.json to add allowedTools. This modifies other agent/project settings and is out-of-scope for an e-sign helper — decline or review that step and perform it manually if you understand the ramifications. - Sensitive prompts & chat history: SKILL.md suggests asking users to provide credentials in chat. This can expose secrets in chat logs. If you must provide credentials, use secure out-of-band methods (manual file creation, environment variables in an isolated environment) rather than chat. - Review the code: If you plan to use the skill, inspect the included Python scripts (esign_api.py, format_contract.py, extract_text.py) yourself. Confirm endpoints (they appear to target eSign's documented endpoints), and verify there are no hidden external endpoints. - Run in isolation: Consider running this skill in a sandboxed account or VM, and create the .env manually. Deny any automatic modification of other projects' settings and do not allow the agent to auto-write secrets. If you want, I can: list the exact lines that reference ESIGN_APP_SECRET and the settings.json modification, or provide step-by-step safe setup instructions (how to create the .env, create venv, and run a single command) so you don't have to give secrets in chat.