← Back to Skills Marketplace
1682
Downloads
2
Stars
2
Active Installs
2
Versions
Install in OpenClaw
/install dropbox-lite
Description
Upload, download, and manage files in Dropbox with automatic OAuth token refresh.
README (SKILL.md)
Dropbox
Upload, download, list, and search files in Dropbox. Supports automatic token refresh.
Required Credentials
| Variable | Required | Description |
|---|---|---|
DROPBOX_APP_KEY |
✅ Yes | Your Dropbox app key |
DROPBOX_APP_SECRET |
✅ Yes | Your Dropbox app secret |
DROPBOX_REFRESH_TOKEN |
✅ Yes | OAuth refresh token (long-lived) |
DROPBOX_ACCESS_TOKEN |
Optional | Short-lived access token (auto-refreshed) |
Store in ~/.config/atlas/dropbox.env:
DROPBOX_APP_KEY=your_app_key
DROPBOX_APP_SECRET=your_app_secret
DROPBOX_REFRESH_TOKEN=xxx...
DROPBOX_ACCESS_TOKEN=sl.u.xxx...
Initial Setup (One-Time)
1. Create a Dropbox App
- Go to https://www.dropbox.com/developers/apps
- Click "Create app"
- Choose "Scoped access"
- Choose "Full Dropbox" (or "App folder" for limited access)
- Name your app
- Note the App key and App secret
2. Set Permissions
In the app settings under "Permissions", enable:
files.metadata.readfiles.metadata.writefiles.content.readfiles.content.writeaccount_info.read
Click "Submit" to save.
3. Run OAuth Flow
Generate the authorization URL:
import urllib.parse
APP_KEY = "your_app_key"
params = {
"client_id": APP_KEY,
"response_type": "code",
"token_access_type": "offline" # This gets you a refresh token!
}
auth_url = "https://www.dropbox.com/oauth2/authorize?" + urllib.parse.urlencode(params)
print(auth_url)
Give the URL to the user. They will:
- Open it in a browser
- Authorize the app
- Receive an authorization code
4. Exchange Code for Tokens
curl -X POST "https://api.dropboxapi.com/oauth2/token" \
-d "code=AUTHORIZATION_CODE" \
-d "grant_type=authorization_code" \
-d "client_id=APP_KEY" \
-d "client_secret=APP_SECRET"
Response includes:
access_token— Short-lived (~4 hours)refresh_token— Long-lived (never expires unless revoked)
Usage
# Account info
dropbox.py account
# List folder
dropbox.py ls "/path/to/folder"
# Search files
dropbox.py search "query"
# Download file
dropbox.py download "/path/to/file.pdf"
# Upload file
dropbox.py upload local_file.pdf "/Dropbox/path/remote_file.pdf"
Token Refresh
The script automatically handles token refresh:
- On 401 Unauthorized, it uses the refresh token to get a new access token
- Updates
dropbox.envwith the new access token - Retries the original request
Token Lifecycle
| Token | Lifetime | Storage |
|---|---|---|
| Access Token | ~4 hours | Updated automatically |
| Refresh Token | Never expires* | Keep secure, don't share |
*Refresh tokens only expire if explicitly revoked or app access is removed.
Troubleshooting
401 Unauthorized on refresh:
- App may have been disconnected — re-run OAuth flow from step 3
403 Forbidden:
- Check app permissions in Dropbox console
Path errors:
- Dropbox paths start with
/and are case-insensitive - Use forward slashes even on Windows
API Reference
- OAuth Guide: https://developers.dropbox.com/oauth-guide
- API Explorer: https://dropbox.github.io/dropbox-api-v2-explorer/
Usage Guidance
This skill appears to do what it says: a lightweight Dropbox CLI that reads/writes ~/.config/atlas/dropbox.env and talks only to Dropbox endpoints. Before installing, (1) be aware the refresh token and app secret are stored in plain text in ~/.config/atlas/dropbox.env — treat them like passwords and store them securely or use a limited-scope app folder instead of Full Dropbox if possible; (2) review the included script yourself if you can (the source is present and readable); (3) note the README/package.json mention the 'requests' dependency but the script uses urllib (no extra package required) — this is a documentation mismatch, not a security issue; (4) because refresh tokens are long-lived, revoke the app from your Dropbox account if you stop using the skill; and (5) avoid granting broader Dropbox scopes than necessary. Overall the skill is internally coherent.
Capability Analysis
Type: OpenClaw Skill
Name: dropbox-lite
Version: 1.0.1
The skill is classified as suspicious due to a critical arbitrary file write vulnerability in `scripts/dropbox.py`. The `download` command allows a user to specify an arbitrary local path via the `--output` argument, enabling the script to write downloaded content to any location on the filesystem (e.g., `/etc/cron.d/evil`, `~/.bashrc`). This vulnerability could lead to privilege escalation or persistence if the agent is prompted to download a file to a sensitive system path. While the script's core functionality is legitimate, this flaw allows for significant abuse without clear malicious intent within the code itself.
Capability Assessment
Purpose & Capability
Name/description (Dropbox file management + token refresh) match the required credentials, the README, SKILL.md, package.json, and the script. Requested env vars (app key/secret and refresh token) are appropriate for OAuth refresh behavior.
Instruction Scope
SKILL.md and the script only read/write ~/.config/atlas/dropbox.env and local files being uploaded/downloaded, and call official Dropbox API endpoints (api.dropboxapi.com, content.dropboxapi.com). There is no instruction to read unrelated system files or exfiltrate data to other endpoints.
Install Mechanism
There is no install spec (instruction-only), so nothing is pulled from external URLs. Minor inconsistency: README/package.json recommend or list the 'requests' dependency, but the included script uses Python's urllib (no runtime dependency required). This is an implementation/documentation mismatch but not a dangerous install mechanism.
Credentials
Only Dropbox app credentials and a refresh token are required, which are necessary for the described functionality. The skill persists tokens to ~/.config/atlas/dropbox.env in plain text — functionally expected but sensitive, and appropriate for the tool's purpose.
Persistence & Privilege
The skill does not request forced 'always' inclusion and does not modify other skills or system-wide settings. It can be invoked autonomously (platform default), which increases operational scope but is expected for an agent skill.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install dropbox-lite - After installation, invoke the skill by name or use
/dropbox-lite - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.1
Fix: Declare required credentials (DROPBOX_APP_KEY, DROPBOX_APP_SECRET, DROPBOX_REFRESH_TOKEN) in package.json metadata
v1.0.0
Initial release of Dropbox integration with automatic OAuth token refresh.
- Upload, download, list, and search Dropbox files from the command line.
- Supports OAuth authorization with secure storage of access and refresh tokens.
- Automatically refreshes expired access tokens and updates credentials file.
- Step-by-step setup instructions for creating a Dropbox app and configuring permissions.
- Handles file and account operations using straightforward commands.
Metadata
Frequently Asked Questions
What is Clawdbot Skill Dropbox?
Upload, download, and manage files in Dropbox with automatic OAuth token refresh. It is an AI Agent Skill for Claude Code / OpenClaw, with 1682 downloads so far.
How do I install Clawdbot Skill Dropbox?
Run "/install dropbox-lite" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Clawdbot Skill Dropbox free?
Yes, Clawdbot Skill Dropbox is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Clawdbot Skill Dropbox support?
Clawdbot Skill Dropbox is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Clawdbot Skill Dropbox?
It is built and maintained by thekie (@thekie); the current version is v1.0.1.
More Skills