Back to skill

Security audit

eSignatures.com

Security checks across malware telemetry and agentic risk

Overview

The skill appears to target legitimate eSignatures.com workflows, but its broad trigger plus contract-creating and contract-withdrawing authority warrants Review before installation.

Review this skill before installing if your eSignatures.com account contains sensitive contracts or production workflows. Use it only where the agent must ask for explicit confirmation before creating templates, creating contracts, or withdrawing contracts, and prefer a limited API credential if the service supports one.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The invocation guidance is overly broad: 'Use this skill for ANY eSignatures.com request' can cause an agent to route any mention of eSignatures.com into this skill without sufficient task disambiguation or user-intent validation. In a skill that includes write operations such as create_contract, create_template, and withdraw_contract, overly aggressive triggering increases the chance of unintended state-changing actions or unnecessary access to sensitive contract data.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.