🟡 Medium Risk Audited: Feb 5, 2026

dropbox-skill

Upload, download, and manage files in Dropbox with automatic OAuth token refresh. Python-based Dropbox integration.

View Repository →

📋 Audit Summary

Author thekie
Category Productivity
License MIT
Dependencies Python 3 stdlib only
Install Command git clone https://github.com/thekie/clawdbot-skill-dropbox.git

🔍 Security Analysis

⚠️ Network Access

Uses urllib to connect to Dropbox API (dropboxapi.com). Supports file upload/download operations over HTTPS.

⚠️ Credential Storage

Stores app key, app secret, access token, and refresh token in ~/.config/atlas/dropbox.env. Plaintext storage with app-level credentials.

✅ Automatic Token Refresh

Implements automatic access token refresh using refresh tokens. Updates credential file with new tokens automatically.

✅ No External Dependencies

Uses only Python standard library (urllib, json, os, pathlib). No pip packages required, reducing supply chain risk.

📦 Token Lifecycle

Token Lifetime Storage
Access Token ~4 hours Updated automatically
Refresh Token Never expires* Keep secure

*Refresh tokens only expire if explicitly revoked

6.5
Trust Score / 10
Medium Risk - Standard OAuth flow

🎯 Permissions

network filesystem credentials

✅ Best Practices

  • • Auto token refresh
  • • No external dependencies
  • • Scoped app permissions
  • • HTTPS only

⚠️ Recommendations

  • • Use scoped access (App folder)
  • • Set secure file permissions
  • • Regular token rotation