dropbox-sign-automation

SUSPICIOUS: The skill's purpose and capabilities mostly align, and the endpoint appears to be an official Composio service rather than an unknown payload. However, all discovery, authentication, and execution are routed through Composio's hosted MCP layer, which forwards Dropbox Sign access and data through a third-party intermediary without pinning or direct first-party API use. This is not confirmed malware, but it carries meaningful trust and credential-forwarding risk.