esign-contract

Security checks across malware telemetry and agentic risk

Overview

This skill performs legitimate e-signature work, but it asks for powerful credentials, handles sensitive contracts, and includes under-scoped local persistence and permission changes users should review before installing.

Install only if you trust this skill, the publisher, and e签宝 with contract contents, signer identities, phone numbers, and signing workflow control. Prefer manually configuring credentials or using a secrets manager instead of pasting secrets into chat, review or block any automatic Claude Code settings change, use least-privilege or sandbox e签宝 credentials where possible, and clean up ~/.config/esign-contract plus temp/downloaded contract files on shared or sensitive machines.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (13)

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The skill explicitly instructs the agent to invoke Bash/Python to write the full contract to a local temporary file. That expands the skill from contract drafting into local code execution and filesystem persistence, which increases attack surface and can expose sensitive contract data or enable unsafe tool use beyond what users would reasonably expect from an e-sign/contract workflow.

Context-Inappropriate Capability

Medium

Confidence: 98% confidence
Finding: The guide explicitly instructs the agent to edit `~/.claude/projects/.../settings.json` to pre-authorize tools, which modifies user/project configuration outside the core e-signing workflow. This expands the agent's privileges without explicit user consent and can weaken local safety controls, enabling broader or repeated tool use beyond the immediate task.

Description-Behavior Mismatch

Low

Confidence: 90% confidence
Finding: The skill stores signing history and participant metadata locally in ~/.config/esign-contract/flow_history.json, even though that persistence is not necessary for core API calls and is broader than the stated skill purpose. This creates a privacy exposure because contract names, participant identities, and timestamps remain on disk and may be accessible to other local processes or users.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The code persists participant phone/contact information to local disk without an obvious need for the signing operation itself. Phone numbers tied to contract participation are sensitive personal data, so storing them locally increases privacy and compliance risk if the host is shared, backed up, or later compromised.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The README describes uploading contracts, signer identities, and generating signing links through the external e签宝 API without clearly warning that contract contents and personal data will be transmitted to a third-party service. In a contract-signing workflow, this omission can mislead users about data handling and privacy boundaries, increasing the risk of unintended disclosure of sensitive legal and personal information.

Missing User Warnings

Medium

Confidence: 81% confidence
Finding: The README advertises actions such as revoking signing flows and downloading signed files without warning that these operations may be state-changing, sensitive, or difficult to undo. Users may trigger cancellation of active workflows or expose executed agreements without understanding the consequences, especially in an automated agent context.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs the agent to ask users to paste App ID and App Secret directly into chat and then persist them to disk. Collecting secrets in conversation increases the chance they are exposed in chat logs, telemetry, screenshots, or mishandled by downstream tooling, and the skill does not present a prominent warning or safer alternative first.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The guidance tells the agent to write complete contract contents, including names, ID numbers, contact details, and commercial terms, to a temporary local .md file without any user-facing disclosure or consent. Because contracts in this skill are expected to contain highly sensitive personal and business data, undisclosed local persistence materially increases privacy and data leakage risk, especially on shared or monitored environments.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The instructions tell the agent to automatically write Claude Code settings without warning or confirmation, causing a silent privilege and configuration change on the user's system. Hidden persistence or authorization changes are especially risky in agent skills because users may not realize future actions are being enabled.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The workflow instructs uploading contracts, extracting text, creating flows, and saving signer identities and phone numbers to an external e-sign service, but omits any privacy, data handling, or consent warning. Because contracts and signer PII are highly sensitive, lack of disclosure can lead to unauthorized data sharing and compliance issues.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: Signed documents are downloaded and written to a local directory, defaulting to the system temp directory, without a clear warning or consent flow. Signed contracts often contain highly sensitive legal and personal information, so silent local persistence can expose them to other users, backup systems, or temp-directory scavenging.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The verify command treats a local path as input, silently uploads that file to the remote e-sign service, and then verifies the uploaded copy. Users may reasonably expect local verification to remain local; instead, potentially confidential contracts are transmitted off-host without an explicit disclosure, which is especially risky for sensitive legal documents.

Ssd 3

High

Confidence: 98% confidence
Finding: The skill explicitly recommends soliciting API credentials in chat and writing them into a persistent local credential file under the user's home directory. This creates both immediate disclosure risk during collection and long-term exposure risk from storing secrets in plaintext where other local processes, backups, or accidental sharing may reveal them.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal