Clawdbot Skill Dropbox
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a coherent Dropbox integration, but it requires long-lived Dropbox credentials and read/write file access that should be carefully scoped.
Install only if you want the agent to manage Dropbox files. Prefer an App Folder instead of Full Dropbox when possible, keep ~/.config/atlas/dropbox.env readable only by you, review file paths before uploads/downloads, and revoke the Dropbox app if you no longer need this skill.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can use the configured Dropbox app to read and write Dropbox files until the refresh token is revoked or the app is disconnected.
The skill requires Dropbox app credentials and a long-lived refresh token, and may be configured with full-account Dropbox access. This is expected for the integration but grants delegated access to the user's Dropbox account.
`DROPBOX_APP_SECRET` | ✅ Yes ... `DROPBOX_REFRESH_TOKEN` | ✅ Yes | OAuth refresh token (long-lived) ... Choose "Full Dropbox" (or "App folder" for limited access)
Use an App Folder and least-privilege scopes if sufficient, keep the token file private, and revoke the Dropbox app if you stop using the skill.
If invoked with the wrong path, local files could be uploaded to Dropbox or Dropbox contents could be changed.
The upload command reads a local file and sends it to Dropbox. That is central to the skill's purpose, but incorrect or overly broad agent use could disclose local files to Dropbox.
with open(local_path, 'rb') as f: file_data = f.read() ... url = "https://content.dropboxapi.com/2/files/upload"
Review upload, download, and folder-creation paths before allowing the agent to run them, especially when sensitive local files are involved.
Users have less provenance information to rely on before trusting the skill with Dropbox credentials.
The provided provenance is limited, though there is no install-time execution or remote script shown. This matters because users would be granting a credentialed Dropbox integration.
Source: unknown ... No install spec — this is an instruction-only skill.
Inspect the included script and package metadata before configuring tokens, and prefer a trusted source or pinned reviewed version for sensitive Dropbox accounts.