ClawHub

Maverick Docusign Mcp

Security checks across malware telemetry and agentic risk

Overview

This DocuSign skill is not clearly malicious, but it can send real signing envelopes using sensitive OAuth credentials without strong built-in guardrails.

Install only if you trust the publisher and intend to let the agent operate on real DocuSign workflows. Use least-privilege OAuth scopes, prefer a DocuSign sandbox first, require human confirmation before any send/void/update action, and consider pinning mcporter and restricting allowed templates or recipient domains.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill declares and requires multiple sensitive environment variables, including OAuth client credentials and tokens, but does not expose an explicit permissions model describing that it consumes secrets. In an agent ecosystem, this creates a real least-privilege and transparency gap: the skill can access high-value credentials without a clear declared permission boundary, increasing the chance of overbroad secret exposure or unsafe invocation.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The skill metadata emphasizes searching and managing DocuSign workflows, but this tool can actively transmit envelopes to real recipients. That creates a side-effecting capability beyond passive retrieval, and in an agent context it can be triggered from natural-language requests without any built-in confirmation, policy gate, or recipient restriction.

Vague Triggers

Low
Confidence
89% confidence
Finding
The MCP server is broadly available without any manifest-level trigger scope or activation constraints, which can allow the skill to be invoked in contexts unrelated to DocuSign workflows. Because this server exposes document, envelope, recipient, template, and signing-status operations backed by refreshable bearer auth, overbroad activation increases the chance of unnecessary access to sensitive signing data or unintended state-changing actions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
send_envelope_from_template performs an external irreversible action by creating and sending a DocuSign envelope with status="sent" immediately. In an MCP/agent setting, absent an explicit confirmation checkpoint, dry-run mode, or secondary approval, a prompt injection or user misunderstanding could cause unintended legal/business communications to be sent to recipients.

Credential Access

High
Category
Privilege Escalation
Content
- `MAVERICK_DOCUSIGN_MCP_EXPIRES_IN`
- `MAVERICK_DOCUSIGN_MCP_REFRESH_TOKEN_EXPIRES_AT`

mcporter refreshes expired DocuSign access tokens through DocuSign's token endpoint before spawning the stdio server, then injects the token into `MAVERICK_DOCUSIGN_MCP_ACCESS_TOKEN`. If calls keep returning auth errors after retry, the OAuth grant has likely been revoked or expired; reconnect the integration.

## Data flow
Confidence
89% confidence
Finding
access tokens

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal