← 返回 Skills 市场
1682
总下载
2
收藏
2
当前安装
2
版本数
在 OpenClaw 中安装
/install dropbox-lite
功能描述
Upload, download, and manage files in Dropbox with automatic OAuth token refresh.
使用说明 (SKILL.md)
Dropbox
Upload, download, list, and search files in Dropbox. Supports automatic token refresh.
Required Credentials
| Variable | Required | Description |
|---|---|---|
DROPBOX_APP_KEY |
✅ Yes | Your Dropbox app key |
DROPBOX_APP_SECRET |
✅ Yes | Your Dropbox app secret |
DROPBOX_REFRESH_TOKEN |
✅ Yes | OAuth refresh token (long-lived) |
DROPBOX_ACCESS_TOKEN |
Optional | Short-lived access token (auto-refreshed) |
Store in ~/.config/atlas/dropbox.env:
DROPBOX_APP_KEY=your_app_key
DROPBOX_APP_SECRET=your_app_secret
DROPBOX_REFRESH_TOKEN=xxx...
DROPBOX_ACCESS_TOKEN=sl.u.xxx...
Initial Setup (One-Time)
1. Create a Dropbox App
- Go to https://www.dropbox.com/developers/apps
- Click "Create app"
- Choose "Scoped access"
- Choose "Full Dropbox" (or "App folder" for limited access)
- Name your app
- Note the App key and App secret
2. Set Permissions
In the app settings under "Permissions", enable:
files.metadata.readfiles.metadata.writefiles.content.readfiles.content.writeaccount_info.read
Click "Submit" to save.
3. Run OAuth Flow
Generate the authorization URL:
import urllib.parse
APP_KEY = "your_app_key"
params = {
"client_id": APP_KEY,
"response_type": "code",
"token_access_type": "offline" # This gets you a refresh token!
}
auth_url = "https://www.dropbox.com/oauth2/authorize?" + urllib.parse.urlencode(params)
print(auth_url)
Give the URL to the user. They will:
- Open it in a browser
- Authorize the app
- Receive an authorization code
4. Exchange Code for Tokens
curl -X POST "https://api.dropboxapi.com/oauth2/token" \
-d "code=AUTHORIZATION_CODE" \
-d "grant_type=authorization_code" \
-d "client_id=APP_KEY" \
-d "client_secret=APP_SECRET"
Response includes:
access_token— Short-lived (~4 hours)refresh_token— Long-lived (never expires unless revoked)
Usage
# Account info
dropbox.py account
# List folder
dropbox.py ls "/path/to/folder"
# Search files
dropbox.py search "query"
# Download file
dropbox.py download "/path/to/file.pdf"
# Upload file
dropbox.py upload local_file.pdf "/Dropbox/path/remote_file.pdf"
Token Refresh
The script automatically handles token refresh:
- On 401 Unauthorized, it uses the refresh token to get a new access token
- Updates
dropbox.envwith the new access token - Retries the original request
Token Lifecycle
| Token | Lifetime | Storage |
|---|---|---|
| Access Token | ~4 hours | Updated automatically |
| Refresh Token | Never expires* | Keep secure, don't share |
*Refresh tokens only expire if explicitly revoked or app access is removed.
Troubleshooting
401 Unauthorized on refresh:
- App may have been disconnected — re-run OAuth flow from step 3
403 Forbidden:
- Check app permissions in Dropbox console
Path errors:
- Dropbox paths start with
/and are case-insensitive - Use forward slashes even on Windows
API Reference
- OAuth Guide: https://developers.dropbox.com/oauth-guide
- API Explorer: https://dropbox.github.io/dropbox-api-v2-explorer/
安全使用建议
This skill appears to do what it says: a lightweight Dropbox CLI that reads/writes ~/.config/atlas/dropbox.env and talks only to Dropbox endpoints. Before installing, (1) be aware the refresh token and app secret are stored in plain text in ~/.config/atlas/dropbox.env — treat them like passwords and store them securely or use a limited-scope app folder instead of Full Dropbox if possible; (2) review the included script yourself if you can (the source is present and readable); (3) note the README/package.json mention the 'requests' dependency but the script uses urllib (no extra package required) — this is a documentation mismatch, not a security issue; (4) because refresh tokens are long-lived, revoke the app from your Dropbox account if you stop using the skill; and (5) avoid granting broader Dropbox scopes than necessary. Overall the skill is internally coherent.
功能分析
Type: OpenClaw Skill
Name: dropbox-lite
Version: 1.0.1
The skill is classified as suspicious due to a critical arbitrary file write vulnerability in `scripts/dropbox.py`. The `download` command allows a user to specify an arbitrary local path via the `--output` argument, enabling the script to write downloaded content to any location on the filesystem (e.g., `/etc/cron.d/evil`, `~/.bashrc`). This vulnerability could lead to privilege escalation or persistence if the agent is prompted to download a file to a sensitive system path. While the script's core functionality is legitimate, this flaw allows for significant abuse without clear malicious intent within the code itself.
能力评估
Purpose & Capability
Name/description (Dropbox file management + token refresh) match the required credentials, the README, SKILL.md, package.json, and the script. Requested env vars (app key/secret and refresh token) are appropriate for OAuth refresh behavior.
Instruction Scope
SKILL.md and the script only read/write ~/.config/atlas/dropbox.env and local files being uploaded/downloaded, and call official Dropbox API endpoints (api.dropboxapi.com, content.dropboxapi.com). There is no instruction to read unrelated system files or exfiltrate data to other endpoints.
Install Mechanism
There is no install spec (instruction-only), so nothing is pulled from external URLs. Minor inconsistency: README/package.json recommend or list the 'requests' dependency, but the included script uses Python's urllib (no runtime dependency required). This is an implementation/documentation mismatch but not a dangerous install mechanism.
Credentials
Only Dropbox app credentials and a refresh token are required, which are necessary for the described functionality. The skill persists tokens to ~/.config/atlas/dropbox.env in plain text — functionally expected but sensitive, and appropriate for the tool's purpose.
Persistence & Privilege
The skill does not request forced 'always' inclusion and does not modify other skills or system-wide settings. It can be invoked autonomously (platform default), which increases operational scope but is expected for an agent skill.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install dropbox-lite - 安装完成后,直接呼叫该 Skill 的名称或使用
/dropbox-lite触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.1
Fix: Declare required credentials (DROPBOX_APP_KEY, DROPBOX_APP_SECRET, DROPBOX_REFRESH_TOKEN) in package.json metadata
v1.0.0
Initial release of Dropbox integration with automatic OAuth token refresh.
- Upload, download, list, and search Dropbox files from the command line.
- Supports OAuth authorization with secure storage of access and refresh tokens.
- Automatically refreshes expired access tokens and updates credentials file.
- Step-by-step setup instructions for creating a Dropbox app and configuring permissions.
- Handles file and account operations using straightforward commands.
元数据
常见问题
Clawdbot Skill Dropbox 是什么?
Upload, download, and manage files in Dropbox with automatic OAuth token refresh. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 1682 次。
如何安装 Clawdbot Skill Dropbox?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install dropbox-lite」即可一键安装,无需额外配置。
Clawdbot Skill Dropbox 是免费的吗?
是的,Clawdbot Skill Dropbox 完全免费(开源免费),可自由下载、安装和使用。
Clawdbot Skill Dropbox 支持哪些平台?
Clawdbot Skill Dropbox 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Clawdbot Skill Dropbox?
由 thekie(@thekie)开发并维护,当前版本 v1.0.1。
推荐 Skills