Is ferreirafabio/dropbox-kb-auto safe?

The skill extracts text from all configured Dropbox files—including OCR of scanned PDFs and images via tesseract—and stores the raw extracted text in the agent's persistent knowledge base as markdown files. Any adversarially crafted document in the user's Dropbox (planted via shared folder, unknowingly downloaded, or received as an email attachment) could contain prompt injection payloads that get indexed into the agent's memory and influence future agent responses when users query the knowledge base. The extraction pipeline performs no sanitization of document content before writing to memory.

Unlike a skill that reads specific named files on request, this skill's automated delta-sync design means adversarial content from any document that enters the user's Dropbox is automatically ingested into the agent's knowledge base without user awareness or review. The user cannot prevent this without manually auditing every indexed file. A threat actor with access to any Dropbox folder shared with the victim (including read-only shared folders) can plant injection payloads that persist in agent memory across sessions.

The openclaw cron create command in install.sh registers a system-level scheduled task that runs dropbox-sync.py every 6 hours with a 4-hour timeout. This scheduled job retains access to Dropbox API credentials stored in ~/.openclaw/.env and continues executing indefinitely. Deleting the skill's files from ~/.openclaw/workspace/skills/dropbox-kb-auto/ does not automatically remove the cron job, creating a persistence mechanism that outlives the user's intent to uninstall.

All documents from configured Dropbox folders (PDFs, Office files, images, text files up to 20MB) are downloaded, text-extracted, and written to the agent's knowledge base as searchable markdown files. This gives the agent persistent, unscoped access to potentially sensitive business documents, financial records, contracts, personal data, and proprietary information from the user's Dropbox across all future agent sessions, not just those explicitly about Dropbox.

The skill registers an OpenClaw cron job with a 14400-second (4-hour) execution timeout running every 6 hours. This is a long-running background process with full Dropbox read access that executes without user interaction, downloading and indexing new content continuously across the lifetime of the installation.

With all configured Dropbox folders indexed into the agent's knowledge base, the agent may surface sensitive information (financial data, personal communications, confidential business documents) when users make queries that trigger retrieval from the Dropbox knowledge base. Users may not realize how broadly the agent can draw on this indexed content or that documents they didn't intend to share with the agent are now in its context.

The skill requires 'Full Dropbox' access scope (files.metadata.read + files.content.read) rather than folder-specific scoped OAuth tokens. These broad credentials are stored in ~/.openclaw/.env and read by dropbox-sync.py at every execution. While no unauthorized transmission of these credentials was observed, the credential scope grants access to the user's entire Dropbox rather than only the configured folders.

The persistent cron job reads Dropbox API credentials from ~/.openclaw/.env at every 6-hour execution, meaning the credentials are in active use continuously. Any future vulnerability in dropbox-sync.py's dependencies (pypdf, python-docx, openpyxl, python-pptx, Pillow/tesseract) or in the OCR pipeline processing attacker-controlled document content could expose these credentials.

The install.sh embeds a Python heredoc that reads user-provided config values (folder names, skip paths, file extensions) from a JSON file and writes them directly into dropbox-sync.py via string replacement using script.replace(). While the values are read from JSON and the replacement targets specific constant strings, this is a pattern of a shell script dynamically rewriting Python source code based on external input. If config values contained escape sequences or Python syntax that broke the string context, code could be injected into the running script.

The setup.sh calls 'sudo apt-get install' or 'sudo yum install' to install system packages (tesseract-ocr, tesseract-ocr-eng, tesseract-ocr-deu, poppler-utils, python3-pip) requiring root privileges. While standard practice for system dependencies, this grants the installer script root-level access to the system package manager and should be reviewed before execution.

The skill is installed via git sparse-checkout from github.com, requiring an outbound HTTPS connection to 140.82.121.3:443. The installed code is fetched from an external server at install time. No unexpected secondary connections were observed beyond this expected GitHub connection.

Six sensitive credential honeypot files were accessed during the audit window, but timing analysis confirms these accesses occurred in two clusters consistent with monitoring system baseline collection: before skill installation at audit timestamps 1771917407.909-910 (git clone did not begin until 1771917413.408) and after skill teardown at 1771917425.357. No skill source code contains logic to read SSH keys, AWS credentials, Docker configs, npmrc, or cloud provider credential files. All canary files remain unmodified.