← DocuSign MCP Server (Navigator/Agentic)
DocuSign MCP Server (Navigator/Agentic) — agentic threat model
The DocuSign MCP Server presents a high-risk profile due to its ability to access sensitive legal agreements and initiate legally binding signature workflows. Its security heavily relies on robust OAuth scope enforcement and strict human-in-the-loop confirmation gating to prevent unauthorized actions by orchestrating agents.
OWASP AIVSS score rationale
| Autonomy of Action | 0.60 | |
| Goal-Driven Planning | 0.40 | |
| Self-Modification | 0.00 | |
| Dynamic Tool Use | 0.70 | |
| Persistent Memory | 0.20 | |
| Contextual Awareness | 0.50 | |
| Dynamic Identity | 0.60 | |
| Multi-Agent Interactions | 0.50 | |
| Non-Determinism | 0.40 | |
| Opacity & Reflexivity | 0.30 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — the specific foundation models powering the Navigator agreement analysis or the orchestrating agent are not detailed in the MCP server specification.
Accesses highly sensitive agreement catalogs and metadata via DocuSign Navigator. Threats include unauthorized data exfiltration of legally binding documents and metadata harvesting by compromised client agents.
Exposes powerful tools for envelope status retrieval and signature workflow initiation. Vulnerable to tool misuse where an LLM is manipulated into initiating unauthorized signature workflows or leaking agreement details.
Not certain from the listing — the hosting environment, network isolation, and sandboxing of the MCP server itself are not specified, though it communicates externally with DocuSign APIs.
Not certain from the listing — there is no mention of built-in logging, evaluation frameworks, or anomaly detection for monitoring malicious or anomalous MCP tool invocations.
Relies on DocuSign OAuth for authentication. The listing explicitly highlights that confirmation gating and strict OAuth scopes are critical security controls to prevent unauthorized legally binding actions.
As an MCP server, this agent is designed to be called by other orchestrator agents. This introduces significant agent-to-agent trust risks, where a compromised parent agent could abuse the DocuSign tools.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).