Dropbox
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: dropbox-api Version: 1.0.4 This skill bundle provides a standard integration for the Dropbox API through a managed gateway service (maton.ai). It facilitates file management, OAuth connection handling, and search functionality using the MATON_API_KEY environment variable. The provided code examples in SKILL.md are standard API interactions using urllib and requests, and no evidence of data exfiltration, malicious execution, or harmful prompt injection was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may be able to read, upload, move, or otherwise manage Dropbox content when the user asks it to use this skill.
The skill is intended to manage Dropbox content, which is purpose-aligned but can affect user files and folders if invoked with broad or destructive requests.
Access the Dropbox API with managed OAuth authentication. Manage files and folders, search content, retrieve metadata, and work with file revisions.
Use clear, path-specific instructions and confirm destructive or bulk file operations before allowing them.
Anyone or any agent process with the MATON_API_KEY may be able to use the connected Dropbox authorization through Maton.
The skill requires a Maton API key and uses managed OAuth, giving the integration delegated access to the user's Dropbox account.
All requests require the Maton API key in the Authorization header: Authorization: Bearer $MATON_API_KEY
Protect the MATON_API_KEY, connect only the intended Dropbox account, and revoke the connection when no longer needed.
Dropbox metadata and file contents handled through this skill may pass through Maton's infrastructure before reaching Dropbox.
Dropbox API requests and file-content operations are routed through Maton's gateway, so users must trust that gateway with the proxied requests and OAuth-backed access.
The gateway proxies requests to `api.dropboxapi.com` ... or `content.dropboxapi.com` ... and automatically injects your OAuth token.
Use this only if you trust Maton as an OAuth/API gateway for the Dropbox data involved, especially for private or sensitive files.
A request could affect the wrong Dropbox account if multiple connections are active and the agent does not specify one.
When multiple Dropbox connections exist, the default-selection behavior could cause actions to run against an unintended account if the connection ID is not specified.
If omitted, the gateway uses the default (oldest) active connection.
Specify the Maton-Connection header when more than one Dropbox connection exists.