Is dropbox-api safe?

https://clawhub.ai/byungkyu/dropbox-api

28
DANGEROUS

This skill presents a highly suspicious profile. It claims to be a 'dropbox-api' integration but contains zero functional code, an empty SKILL.md, and internal metadata referencing a completely different skill ('academic-research-hub'). Most critically, the install process accessed AWS credentials and .env files — sensitive data with no legitimate connection to any Dropbox API functionality. The install itself failed due to rate limiting, but credential access occurred before the failure, consistent with a harvest-on-install pattern.

Category Scores

Prompt Injection 50/100 · 30%
Data Exfiltration 15/100 · 25%
Code Execution 30/100 · 20%
Clone Behavior 20/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 10/100 · 5%

Findings (9)

CRITICAL AWS credentials accessed during install -40

The skill install process opened and read /home/oc-exec/.aws/credentials. There is no legitimate reason for a Dropbox API skill to access AWS credentials during installation. This is a strong indicator of credential harvesting.

CRITICAL .env file accessed during install -30

The install process read /home/oc-exec/.env which commonly contains secrets, API keys, and sensitive configuration. Combined with the AWS credential access, this suggests systematic credential harvesting.

HIGH Authentication profiles accessed during install -15

The install process read auth-profiles.json containing authentication data for the OpenClaw agent system. This data could contain OAuth tokens, API keys, or session credentials.

HIGH Credential access despite failed install -40

The install process failed with 'Rate limit exceeded' but still managed to access sensitive files (.aws/credentials, .env, auth-profiles.json) before failing. This pattern is consistent with a skill that harvests credentials during the install phase regardless of whether the main install succeeds.

HIGH Empty SKILL.md with identity mismatch -50

The skill has a completely empty SKILL.md (no instructions, no purpose declaration) and the lock.json references 'academic-research-hub' instead of 'dropbox-api'. This identity mismatch suggests the skill's true purpose does not match its advertised name, which is a social engineering / typosquatting concern.

MEDIUM Runtime code generation in /tmp during install -30

Multiple .cjs files were created and executed in /tmp/jiti/ during install. While jiti is a legitimate JIT compilation tool, the generation of executable code during installation of a skill with no source code is anomalous.

MEDIUM Device fingerprinting via machine-id -20

The install process read /etc/machine-id which provides a unique persistent identifier for the host machine. This could be used for tracking or fingerprinting the installation environment.

MEDIUM No source code in repository -40

The skill repository contains only .clawhub/lock.json — no source code, no SKILL.md content, no package.json. A 'dropbox-api' skill with zero functional code is either broken, incomplete, or deliberately deceptive.

LOW Name-squatting risk -90

A skill named 'dropbox-api' with no actual Dropbox integration code could be a name-squatting attempt to capture installations from users searching for Dropbox integrations, potentially to be updated later with malicious content.