docusign

The skill's footprint is broadly coherent with its stated purpose: it uses curl-based calls to the DocuSign API, requires a valid DOCUSIGN_TOKEN, and follows documented steps to discover base_uri/account_id before performing envelope/primitives operations. The main security considerations are the handling of a sensitive API token (env var) and the temporary writing of JSON payloads to /tmp. No evidence of malicious data flows or unauthenticated third-party calls. Overall, the skill is BENIGN with MEDIUM risk due to credential exposure potential and transient local data storage; no supply-chain or exfiltration red flags identified.