Back to skill

Security audit

Open Agreements

Security checks across malware telemetry and agentic risk

Overview

This skill coherently helps users fill legal templates and optionally send them for signature, with the sensitive network and OAuth behavior disclosed.

Install only if you are comfortable using a legal-template helper that may process confidential agreement details. Prefer the local CLI path for offline filling; use the hosted MCP or DocuSign signing flow only when you accept sending template contents, field values, signer details, and authorization data to those services. Review generated agreements before signing and consider attorney review for legal significance.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Output HandlingUnvalidated Output Injection, Cross-Context Output, Unbounded Output
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (4)

Intent-Code Divergence

Low
Confidence
99% confidence
Finding
The note says the skill version in the frontmatter is currently `0.2.3`, but the actual frontmatter declares version `0.2.4` at L019. This is an active contradiction in the documentation rather than a mere omission, though it is low impact and not a capability mismatch.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
## CRITICAL: DocuSign and Authentication

- **Open Agreements handles DocuSign OAuth automatically.** Do NOT ask the user for a DocuSign API key or integration key.
- **Do NOT tell the user to install or configure DocuSign separately.** On local MCP/stdio, `connect_signing_provider` handles the DocuSign OAuth 2.0 + PKCE flow. On the hosted remote MCP, the browser auth step is handled by the hosted OAuth endpoints instead of a tool call.
- **Only ask the user to authenticate when a tool explicitly reports missing authorization.** Do not preemptively ask for credentials.
- **Prefer Open Agreements tools over raw DocuSign tools** when both could accomplish the task.
Confidence
80% confidence
Finding
Do NOT ask the user

Unbounded Output

Medium
Category
Output Handling
Content
- **Remote MCP**: https://openagreements.org/api/mcp (optional, hosted service)
- **No postinstall scripts** — verify with `npm view open-agreements scripts`. The package declares no `postinstall`, `preinstall`, or `install` hooks. The `prepare` script only runs when installing from a git URL, not from the npm registry.

All template field definitions, fill logic, and DocuSign integration code are auditable in the repository.

### A note on versions
Confidence
80% confidence
Finding
fill log

Tool Parameter Abuse

High
Category
Tool Misuse
Content
open-agreements fill <template-name> -d /tmp/oa-values.json -o <output-name>.docx
```

Clean up: `rm /tmp/oa-values.json`

## Source Code and Audit
Confidence
85% confidence
Finding
rm /tmp/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.