← Back to Skills Marketplace
93
Downloads
0
Stars
0
Active Installs
2
Versions
Install in OpenClaw
/install notasign
Description
Send files for e-signature with Nota Sign. Use for requests to send an envelope, initiate signing, send a signing link, configure Nota Sign credentials, or s...
Usage Guidance
This skill appears coherent for sending documents via Nota Sign, but consider the following before installing: 1) The script will store sensitive credentials (private key, appId, userCode) in a local config file — protect ~/.notasign/config.json (chmod 600) and avoid storing unrelated secrets there. 2) The fallback runtime temporarily downloads Node/tsx from npm when needed; that requires network access and fetches packages at runtime. 3) When the agent constructs npx command lines with user-supplied file paths or JSON signer strings, ensure inputs are sanitized to avoid shell/argument injection. 4) Confirm you trust the Nota Sign endpoints listed in the code (openapi-*.notasign.* / openapi-*.uat.notasign.*) before uploading sensitive documents. If you want higher assurance, run the provided script locally in a controlled environment first and inspect the full script output and network calls.
Capability Analysis
Type: OpenClaw Skill
Name: notasign
Version: 1.0.1
The 'notasign' skill is a legitimate integration for the Nota Sign e-signature service, allowing users to send documents for signing via local files or URLs. The core logic in `scripts/send_envelope.ts` implements standard API authentication using RSA-SHA256 signatures and JWTs, with configuration stored locally in `~/.notasign/config.json`. While it includes a runtime fallback that uses `npx` to fetch `node@20` for compatibility, this behavior is documented and aligned with the skill's functional requirements. No evidence of data exfiltration, malicious execution, or prompt injection was found.
Capability Assessment
Purpose & Capability
Name/description (send files for e-signature with Nota Sign) match the included code and SKILL.md. The script validates files, constructs signatures, obtains tokens, uploads files, and calls Nota Sign endpoints. Required credentials are the Nota Sign appId/appKey/userCode/region, which are appropriate for this integration and are stored in local config files (./notasign-config.json or ~/.notasign/config.json).
Instruction Scope
Instructions are narrowly scoped to reading local files or URLs, collecting signer info, storing Nota Sign credentials in a local config, and invoking the TypeScript script. It explicitly instructs not to echo secrets. Note: the runtime uses shell-invoked npx commands with JSON and file path arguments — if the agent or caller interpolates untrusted values into those command-line arguments, there is a risk of argument/command injection or accidental leakage. Also the script will transmit file contents and credentials to external Nota Sign API endpoints as expected for its purpose.
Install Mechanism
No persistent install spec; the skill is instruction-plus-script. The SKILL.md uses npx/tsx and includes a fallback that temporarily downloads node@20 and tsx from npm when local Node.js is older than 18. That is coherent for running a TypeScript script but does require network access to npm for the fallback and pulls runtime packages for the single run.
Credentials
No unrelated environment variables or registry-declared secrets are requested. The only secrets are Nota Sign credentials (appKey is a Base64 PKCS#8 private key) which the skill legitimately needs to sign requests and obtain access tokens. Those are stored in local config files rather than environment variables.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and only writes its own config at ./notasign-config.json or ~/.notasign/config.json. Autonomous invocation is allowed (platform default) but not excessive for this integration.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install notasign - After installation, invoke the skill by name or use
/notasign - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.1
- Expanded skill description and usage instructions for broader scenarios, including sending files, credentials setup, environment switching (PROD/UAT), and attachment handling.
- Enforced file type and size validation (accepts doc, docx, pdf, xls, xlsx, bmp, png, jpg, jpeg; size ≤ 100MB).
- Added detailed credential management: requires new credentials for each environment, does not reuse between PROD/UAT.
- Clear user-facing prompts for missing info; improved handling of uploaded files and signer details.
- Runtime fallback now temporarily installs node@20 if local Node.js is below 18, ensuring compatibility.
- Enhanced error reporting and summary responses on envelope send.
v1.0.0
- Initial release of notasign skill.
- Provides full API integration with Nota Sign electronic signature platform.
- Supports envelope management, document upload, and automated signing workflows.
- Prompts user for configuration and signing information as needed.
Metadata
Frequently Asked Questions
What is Nota Sign?
Send files for e-signature with Nota Sign. Use for requests to send an envelope, initiate signing, send a signing link, configure Nota Sign credentials, or s... It is an AI Agent Skill for Claude Code / OpenClaw, with 93 downloads so far.
How do I install Nota Sign?
Run "/install notasign" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Nota Sign free?
Yes, Nota Sign is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Nota Sign support?
Nota Sign is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Nota Sign?
It is built and maintained by notasign (@notasign); the current version is v1.0.1.
More Skills