Dropbox
PassAudited by ClawScan on May 1, 2026.
Overview
This is a disclosed Dropbox API gateway skill, but users should understand it can access and modify Dropbox files through Maton-managed OAuth.
Install this only if you want an agent to manage Dropbox through Maton. Protect your MATON_API_KEY, confirm sensitive file changes, specify the correct Dropbox connection when needed, and avoid routing highly sensitive Dropbox content through the gateway unless you trust the provider.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may be able to read, upload, move, or otherwise manage Dropbox content when the user asks it to use this skill.
The skill is intended to manage Dropbox content, which is purpose-aligned but can affect user files and folders if invoked with broad or destructive requests.
Access the Dropbox API with managed OAuth authentication. Manage files and folders, search content, retrieve metadata, and work with file revisions.
Use clear, path-specific instructions and confirm destructive or bulk file operations before allowing them.
Anyone or any agent process with the MATON_API_KEY may be able to use the connected Dropbox authorization through Maton.
The skill requires a Maton API key and uses managed OAuth, giving the integration delegated access to the user's Dropbox account.
All requests require the Maton API key in the Authorization header: Authorization: Bearer $MATON_API_KEY
Protect the MATON_API_KEY, connect only the intended Dropbox account, and revoke the connection when no longer needed.
Dropbox metadata and file contents handled through this skill may pass through Maton's infrastructure before reaching Dropbox.
Dropbox API requests and file-content operations are routed through Maton's gateway, so users must trust that gateway with the proxied requests and OAuth-backed access.
The gateway proxies requests to `api.dropboxapi.com` ... or `content.dropboxapi.com` ... and automatically injects your OAuth token.
Use this only if you trust Maton as an OAuth/API gateway for the Dropbox data involved, especially for private or sensitive files.
A request could affect the wrong Dropbox account if multiple connections are active and the agent does not specify one.
When multiple Dropbox connections exist, the default-selection behavior could cause actions to run against an unintended account if the connection ID is not specified.
If omitted, the gateway uses the default (oldest) active connection.
Specify the Maton-Connection header when more than one Dropbox connection exists.