Dropbox Integration
v1.0.1Read-only Dropbox integration for browsing, searching, and downloading files from your Dropbox account. Includes automatic OAuth token refresh, secure credential storage, and comprehensive setup guide. Perfect for accessing your Dropbox files from OpenClaw without giving write access.
⭐ 2· 1.3k·2 current·2 all-time
byTiran Dagan@tirandagan
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the code and instructions: scripts browse, search, download, OAuth setup, and token refresh all call Dropbox APIs with read-only scopes (files.metadata.read, files.content.read, account_info.read). Requiring an app key/secret and refresh token is expected for this purpose.
Instruction Scope
SKILL.md and code stay within the stated purpose (starting a local OAuth flow, saving token.json, listing/searching/downloading). The instructions require running a local HTTP server for OAuth and writing credentials.json and token.json in the skill directory—these are expected but worth noting because they create sensitive files on disk. Scripts will write downloaded files to arbitrary local paths you provide (expected behavior for a downloader).
Install Mechanism
No install spec is provided (lowest risk) and the package uses the official 'dropbox' npm dependency. SKILL.md instructs to run 'npm install dropbox' which is normal. No downloads from untrusted URLs or archives are present.
Credentials
Registry metadata lists no required config paths or env vars, but the code expects credentials.json (app_key/app_secret) and token.json in the skill directory. That mismatch between declared requirements and actual required files is a documentation/metadata inconsistency users should notice. The skill requires sensitive secrets (app secret and refresh token) which are stored plaintext in token.json and must be protected; this is proportionate to the feature but should be handled carefully.
Persistence & Privilege
The skill does not request always:true and is user-invocable. It persists tokens and credentials only in its own directory (token.json/credentials.json) and does not modify other skills or system-wide settings. Autonomous invocation is enabled by default (normal); combine that with token access only if you trust the skill source.
Assessment
This skill appears to implement a legitimate read-only Dropbox integration, but check a few things before installing:
- Trust & provenance: the owner/homepage is unknown. Only install if you trust the source or have reviewed the code yourself.
- Metadata mismatch: the registry metadata claims no required config paths/env vars, but the code requires credentials.json (app_key/app_secret) and produces token.json — ensure you provide these files and protect them.
- Least privilege: consider creating an 'App folder' Dropbox app instead of 'Full Dropbox' to limit exposure, unless you need account-wide reads.
- Protect secrets: credentials.json and token.json are stored on disk in the skill directory; ensure .gitignore is correct and set restrictive file permissions (e.g., 0600). Rotate/revoke tokens if the machine or skill environment is compromised.
- Node & environment: run the skill in a controlled environment (container or dedicated user) and run 'npm install' inside that environment. Verify Node version (uses fetch and modern SDK—Node 18+ recommended).
- Use caution when downloading: the download script writes to any local path you supply — avoid passing sensitive system paths to the skill or letting the agent choose target paths without constraints.
If you want higher assurance, have someone you trust review the included JS files (setup-oauth.js, dropbox-helper.js, etc.) and confirm token storage and refresh behavior are acceptable.Like a lobster shell, security has layers — review code before you run it.
latestvk97a6h0cqya2shtstp56e5gz2n80ssqh
License
MIT-0
Free to use, modify, and redistribute. No attribution required.