Docusign MCP
PassAudited by ClawScan on May 5, 2026.
Overview
This is a coherent DocuSign integration, but it uses DocuSign OAuth credentials, persistent local token storage, an external MCP service, and tools that can affect real signing workflows.
Install this only if you want the agent to work with DocuSign using your connected account. Keep OAuth tokens and the mcporter credential vault protected, consider pinning the mcporter dependency, and manually review any action that sends, voids, updates, or modifies DocuSign envelopes, recipients, templates, or documents.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may be able to send, void, or modify DocuSign items if the connected account permits it.
The skill exposes high-impact DocuSign write operations, but it discloses the impact and instructs confirmation of user intent before writes.
Write operations that create, send, void, update, or modify envelopes, recipients, templates, and documents can affect real signing workflows. Confirm clear user intent before invoking write tools
Use this skill only for DocuSign work, and review any create, send, void, update, or template/document modification before allowing it.
The connected DocuSign account permissions become available to the MCP tooling, and the tokens persist locally in the user's mcporter vault.
The initializer stores DocuSign OAuth access and refresh tokens in the mcporter credential vault so the MCP client can authenticate.
tokens: {access_token: env.mcp_access, refresh_token: env.mcp_refresh, token_type: "Bearer"},Use least-privileged DocuSign authorization where possible, protect the environment variables and ~/.mcporter/credentials.json, and revoke or remove credentials when uninstalling or no longer using the skill.
A future mcporter release would be installed by default, which may not be the exact code previously reviewed.
The skill depends on an npm CLI package without a pinned version, which can change over time, but the artifact openly discloses this and gives mitigation guidance.
The install spec uses unpinned `mcporter` (npm `latest`); operators with strict supply-chain controls should override the install to pin a specific version
Pin mcporter to a reviewed version in controlled environments.
DocuSign receives the requested DocuSign-related data and operations through its hosted MCP service.
The skill communicates with an external hosted MCP service and clearly discloses the endpoint and the DocuSign data involved.
Tool calls travel to DocuSign's hosted MCP service at `https://mcp.docusign.com/mcp` over HTTPS, authenticated via OAuth. DocuSign sees the envelope, recipient, template, document, and signing-status data referenced by each call.
Use the skill only for DocuSign-related tasks and avoid sending unrelated sensitive content through the DocuSign MCP tools.