Back to skill

Security audit

Dropbox

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Dropbox API helper; it can read, upload, move, and delete Dropbox data, but those powers match its stated purpose and are not hidden.

Install only if you trust Maton to broker Dropbox access. Confirm exact paths before uploads, moves, deletes, or batch operations; avoid sharing logs containing MATON_API_KEY or temporary links; and revoke unused Dropbox connections when finished.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (5)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill documents delete operations on remote Dropbox content without warning that they are destructive or that the agent should obtain explicit user confirmation before performing them. In an agent setting, this increases the risk of accidental or prompt-induced deletion of user data because the examples normalize direct execution of destructive actions.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The upload examples include overwrite-capable modes and direct remote file modification but do not warn that these operations change user-controlled cloud data. In an autonomous agent workflow, omission of that warning can lead to unintended data alteration or replacement, especially when file paths are inferred from ambiguous prompts.

Missing User Warnings

Low
Confidence
81% confidence
Finding
The connection deletion section describes deleting an OAuth connection without clarifying that it revokes/removes an existing authorization and may interrupt future access. While less severe than file deletion, this can still cause service disruption or accidental loss of configured connectivity.

Missing User Warnings

Low
Confidence
76% confidence
Finding
The download/export sections retrieve remote file contents and temporary access links but do not mention privacy implications, sensitivity of downloaded data, or care needed with temporary URLs. This can encourage agents to fetch or expose file contents and links without adequate user awareness or handling safeguards.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The batch delete operation can remove multiple remote files at once, yet the documentation lacks any explicit warning about its broad destructive effect. This raises the chance of large-scale accidental data loss if an agent executes the example from an imprecise or adversarial prompt.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.