AgentReadyHomeAgent Listing

← DocuSign MCP Server (Navigator/Agentic)

DocuSign MCP Server (Navigator/Agentic) — agentic threat model

7.3AIVSS 7.3 · High

The DocuSign MCP Server presents a high-risk profile due to its ability to access sensitive legal agreements and initiate legally binding signature workflows. Its security heavily relies on robust OAuth scope enforcement and strict human-in-the-loop confirmation gating to prevent unauthorized actions by orchestrating agents.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.5AARS uplift 0.63Factor sum 4.2/10Threat ×1.0Mitigation ×0.8
Autonomy of Action
0.60
Goal-Driven Planning
0.40
Self-Modification
0.00
Dynamic Tool Use
0.70
Persistent Memory
0.20
Contextual Awareness
0.50
Dynamic Identity
0.60
Multi-Agent Interactions
0.50
Non-Determinism
0.40
Opacity & Reflexivity
0.30

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — the specific foundation models powering the Navigator agreement analysis or the orchestrating agent are not detailed in the MCP server specification.

L2 · Data Operations✓ mapped

Accesses highly sensitive agreement catalogs and metadata via DocuSign Navigator. Threats include unauthorized data exfiltration of legally binding documents and metadata harvesting by compromised client agents.

L3 · Agent Frameworks✓ mapped

Exposes powerful tools for envelope status retrieval and signature workflow initiation. Vulnerable to tool misuse where an LLM is manipulated into initiating unauthorized signature workflows or leaking agreement details.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — the hosting environment, network isolation, and sandboxing of the MCP server itself are not specified, though it communicates externally with DocuSign APIs.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — there is no mention of built-in logging, evaluation frameworks, or anomaly detection for monitoring malicious or anomalous MCP tool invocations.

L6 · Security & Compliance (cross-cutting)✓ mapped

Relies on DocuSign OAuth for authentication. The listing explicitly highlights that confirmation gating and strict OAuth scopes are critical security controls to prevent unauthorized legally binding actions.

L7 · Agent Ecosystem✓ mapped

As an MCP server, this agent is designed to be called by other orchestrator agents. This introduces significant agent-to-agent trust risks, where a compromised parent agent could abuse the DocuSign tools.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).