ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Clawdbot Skill Dropbox

v1.0.1

Upload, download, and manage files in Dropbox with automatic OAuth token refresh.

2· 1.6k·2 current·2 all-time
by@thekie
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (Dropbox file management + token refresh) match the required credentials, the README, SKILL.md, package.json, and the script. Requested env vars (app key/secret and refresh token) are appropriate for OAuth refresh behavior.
Instruction Scope
SKILL.md and the script only read/write ~/.config/atlas/dropbox.env and local files being uploaded/downloaded, and call official Dropbox API endpoints (api.dropboxapi.com, content.dropboxapi.com). There is no instruction to read unrelated system files or exfiltrate data to other endpoints.
Install Mechanism
There is no install spec (instruction-only), so nothing is pulled from external URLs. Minor inconsistency: README/package.json recommend or list the 'requests' dependency, but the included script uses Python's urllib (no runtime dependency required). This is an implementation/documentation mismatch but not a dangerous install mechanism.
Credentials
Only Dropbox app credentials and a refresh token are required, which are necessary for the described functionality. The skill persists tokens to ~/.config/atlas/dropbox.env in plain text — functionally expected but sensitive, and appropriate for the tool's purpose.
Persistence & Privilege
The skill does not request forced 'always' inclusion and does not modify other skills or system-wide settings. It can be invoked autonomously (platform default), which increases operational scope but is expected for an agent skill.
Assessment
This skill appears to do what it says: a lightweight Dropbox CLI that reads/writes ~/.config/atlas/dropbox.env and talks only to Dropbox endpoints. Before installing, (1) be aware the refresh token and app secret are stored in plain text in ~/.config/atlas/dropbox.env — treat them like passwords and store them securely or use a limited-scope app folder instead of Full Dropbox if possible; (2) review the included script yourself if you can (the source is present and readable); (3) note the README/package.json mention the 'requests' dependency but the script uses urllib (no extra package required) — this is a documentation mismatch, not a security issue; (4) because refresh tokens are long-lived, revoke the app from your Dropbox account if you stop using the skill; and (5) avoid granting broader Dropbox scopes than necessary. Overall the skill is internally coherent.

Like a lobster shell, security has layers — review code before you run it.

latestvk97275zswtg1b8etp5hhggaa4d813v06

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments