dropbox-sign

SUSPICIOUS. The skill's functionality mostly matches its stated Dropbox Sign purpose, and the CLI install path is vendor-aligned and registry-based. The main concern is data flow integrity: Dropbox Sign access is mediated through Membrane's infrastructure and proxy rather than official Dropbox Sign endpoints, adding third-party trust for authentication, API traffic, and document access. This looks like a coherent integration pattern, not confirmed malware, but the intermediary architecture and action set create medium security risk.