ClawHub

Dropbox Manager

Security checks across malware telemetry and agentic risk

Overview

The Dropbox skill is mostly coherent, but one bundled setup guide points agents to run an unpinned npm MCP server with Dropbox credentials, which users should review before installing.

Install only if you are comfortable granting Dropbox read/write access and local file transfer authority. Prefer the documented Swift Dropbook build path over the `npx -y dbx-mcp-server` reference, review any package before giving it Dropbox tokens, and require confirmation before uploads, downloads, deletes, overwrites, or rclone sync operations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The manifest advertises upload and download capabilities that can modify local and cloud data, including an overwrite option, but provides no user-facing warning, confirmation requirement, or safety constraints. In an agent context, this increases the risk of unintended file exfiltration, destructive overwrites, or syncing sensitive local files to Dropbox without the user understanding the consequences.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill documents `rclone sync` as a normal backup workflow without an explicit warning that sync is destructive and will delete destination files not present in the source. In an agent-oriented skill, users may copy commands verbatim, so this can cause accidental data loss even without any malicious behavior.

Self-Modification

High
Category
Rogue Agent
Content
"type": "boolean",
            "optional": true,
            "default": false,
            "description": "Overwrite existing file"
          }
        }
      },
Confidence
87% confidence
Finding
Overwrite existing file

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal