Back to skill
Skillv1.0.0
ClawScan security
Dropbox Inc · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 29, 2026, 8:04 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This is an instruction-only, read-only reference about Dropbox that does not request credentials, install software, or perform actions outside its stated purpose.
- Guidance
- This skill appears to be a read-only informational sheet about Dropbox and is internally consistent with that purpose. Before installing: (1) note the source is unknown and there's no homepage—verify important facts against official or trusted sources if you will act on them; (2) if you expected a skill that interacts with Dropbox (uploads/downloads, account management), this skill does not request API keys or tokens and therefore won’t be able to perform those actions—be cautious of future versions that might ask for credentials; (3) because it is instruction-only and requests no secrets, the direct security risk is low, but always avoid pasting sensitive account information into any skill's prompts.
Review Dimensions
- Purpose & Capability
- okThe skill's name/description promise a corporate overview of Dropbox and the SKILL.md contains company history, business model, metrics and 'read_when' hints that match that purpose. It does not declare any unrelated binaries, env vars, or config paths.
- Instruction Scope
- okSKILL.md is static prose with explicit 'read_when' triggers and does not instruct the agent to read local files, access environment variables, call external endpoints, or transmit data. Instructions stay within an information/reference scope.
- Install Mechanism
- okNo install spec and no code files are present, so nothing is written to disk or downloaded at install time. This is the lowest-risk pattern for a skill of this type.
- Credentials
- okThe skill declares no required environment variables, credentials, or config paths. There is no disproportionate request for secrets or system access relative to its stated function as a static reference.
- Persistence & Privilege
- okalways is false and the skill is user-invocable. Model invocation is allowed (the platform default), but the skill has no install-time or runtime behaviors that would persist state or modify other skills/configuration.