fadada-esign
ReviewAudited by ClawScan on May 10, 2026.
Overview
This looks like a purpose-built FaDaDa e-signing skill, but it asks for corporate signing credentials and exposes high-impact contract actions with weak provenance and confirmation guardrails.
Before installing or using this skill, verify that it is truly from FaDaDa or a trusted publisher. Use sandbox mode first, protect the App Secret, and require explicit confirmation for every contract send, batch send, cancellation, deletion, or other task-control action.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or over-eager invocation could send a real contract or signing link to the wrong person.
The documented workflow directly sends a contract to a signer. For a legally significant action, the artifacts do not show a required confirmation step for the exact file, recipient, phone number, task subject, and environment before sending.
fadada send contract.pdf --signer "张三:13800138000"
Require explicit user confirmation before every send or batch send, showing the file, recipients, phone/email, task subject, production/sandbox mode, and whether notifications will be sent.
An agent using these references could alter, revoke, or delete signing tasks in ways that affect business records or legal workflows.
The included API reference exposes high-impact task-control operations beyond simple status checks and downloads, including cancellation, abolition, and deletion, without corresponding guardrails in the skill instructions.
5.1 撤销签署任务 ... 5.6 作废签署任务 ... 5.7 删除签署任务
Limit exposed workflows to the stated send/query/download actions, or add strong confirmations and reason prompts for cancel, abolish, delete, finish, or other task-control operations.
If these credentials are mishandled, someone could act through the organization’s FaDaDa integration.
The skill requires FaDaDa application credentials and a corporate identifier. This is expected for the integration, but those credentials can authorize contract-signing actions.
export FADADA_APP_ID="your_app_id" ... export FADADA_APP_SECRET="your_app_secret" ... export FADADA_OPEN_CORP_ID="your_open_corp_id"
Use least-privileged credentials where possible, start in sandbox mode, avoid hardcoding secrets, and store any config file with owner-only permissions.
Contract contents, names, phone numbers, and optional identity details may be sent to the e-sign provider.
The skill uploads selected contract files and signer personal information to the FaDaDa service. This is purpose-aligned, but the data can be sensitive.
file_path="/path/to/contract.pdf", signer_name="张三", signer_mobile="13800138000"
Only use approved documents and intended recipients, verify provider account settings and retention policies, and avoid including unnecessary identity fields.
Users may provide corporate e-sign credentials because they believe the package is officially verified.
The README claims this is an official SDK, while the registry metadata supplied for review lists the source as unknown and no homepage. For a credentialed legal-signing integration, unsupported official-source claims materially affect user trust.
基于法大大 FASC API 5.0 的官方 Python SDK
Verify the publisher and source repository through FaDaDa’s official channels before installing or entering credentials.