ClawHub
Code PluginExecutes codesource-linked

Dropbox

OpenClaw plugin for Dropbox integration — list, download, upload, share, search, and delete files

Community code plugin. Review compatibility and verification before install.
@tardigrde/openclaw-dropbox-plugin · runtime id dropbox
Install
openclaw plugins install clawhub:@tardigrde/openclaw-dropbox-plugin
Latest Release
Version v2.0.1
Compatibility
{
  "builtWithOpenClawVersion": "2026.3.22",
  "pluginApiRange": ">=2026.3.22"
}
Capabilities
{
  "bundledSkills": [],
  "capabilityTags": [
    "executes-code"
  ],
  "channels": [],
  "commandNames": [],
  "configSchema": true,
  "configUiHints": false,
  "executesCode": true,
  "hooks": [],
  "httpRouteCount": 0,
  "materializesDependencies": false,
  "providers": [],
  "runtimeId": "dropbox",
  "serviceNames": [],
  "setupEntry": false,
  "toolNames": []
}
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The declared purpose (Dropbox file management) matches the code and SKILL.md: the tools call Dropbox APIs (list, download, upload, share, search, delete). However the registry metadata shown earlier declares no required env vars or primary credential, while both SKILL.md and src/index.ts require an environment variable DROPBOX_ACCESS_TOKEN. That mismatch between metadata and actual credential requirement is an incoherence a user should be aware of.
Instruction Scope
The SKILL.md instructions are scoped to Dropbox workflows (how to create a Dropbox app, set DROPBOX_ACCESS_TOKEN, which endpoints/functions to call). The runtime instructions and tool docs do not direct the agent to read unrelated system files or to exfiltrate data to any endpoint other than Dropbox. The code only reads process.env.DROPBOX_ACCESS_TOKEN (no other environment variables) and uses official Dropbox API endpoints.
Install Mechanism
There is no explicit install spec (instruction-only install), which is lower risk. The repository contains package.json and a large package-lock.json; package.json lists only @sinclair/typebox as a runtime dependency, but the lockfile includes many unrelated packages (AWS SDK pieces, Anthropic SDK, etc.). That is unusual and warrants a quick provenance check (it could be a generated lockfile from a different environment, but it increases audit surface if code is ever installed). There are no downloads from arbitrary URLs or extract steps in the provided files.
!
Credentials
The plugin legitimately needs a Dropbox access token. However the registry metadata did not declare any required env vars or a primary credential while SKILL.md and src/index.ts explicitly require DROPBOX_ACCESS_TOKEN. This mismatch is the primary proportionality concern. Apart from that single credential, no unrelated secrets or config paths are requested.
Persistence & Privilege
The skill does not request always:true and does not attempt to modify other skills or system-wide configuration. It registers a set of tools and only constructs a DropboxClient when invoked. Autonomous invocation by the agent is enabled by default (normal), but there is no additional privilege escalation requested by the plugin.
What to consider before installing
This plugin appears to implement exactly the Dropbox operations it documents, but there are a few things to check before installing: - Required token: The plugin requires a DROPBOX_ACCESS_TOKEN (documented in SKILL.md and enforced by code). The registry metadata did not list this — assume you must supply the token. Only provide tokens you control. - Least privilege: When creating the Dropbox app, prefer 'App folder' scope or restrict scopes where possible. Do not use a long-lived token with Full Dropbox access for sensitive accounts unless you accept the risk. - Token handling: Treat the access token like a secret. Store it in a secure place, rotate it if the plugin is removed, and avoid pasting it into untrusted environments. - Lockfile provenance: package-lock.json contains many unexpected packages unrelated to the lightweight dependency list in package.json. That increases supply-chain surface if the package is installed. If you intend to install the plugin, verify the repository origin (GitHub URL), the publisher identity, and consider inspecting the published package contents or building from source locally. - Review network behavior: The code makes HTTPS calls only to Dropbox API endpoints. If you need stronger assurance, run the plugin in a restricted/sandboxed environment and monitor outbound connections during first use. - Confirm prompts/confirmations: The plugin exposes destructive actions (delete). Ensure your agent flow or prompts confirm deletion/ sharing of sensitive files with the user before proceeding. If these checks are acceptable, the plugin is coherent with its stated purpose; if you have any doubt about the publisher or the lockfile, don't install or run it with a broad access token.
Verification
{
  "hasProvenance": false,
  "scanStatus": "pending",
  "scope": "artifact-only",
  "sourceCommit": "0bd0391338320e78a954b4da3bb276ff947ad6e7",
  "sourceRepo": "tardigrde/openclaw-dropbox-plugin",
  "sourceTag": "v2.0.1",
  "summary": "Validated package structure and linked the release to source metadata.",
  "tier": "source-linked"
}
Tags
{
  "latest": "v2.0.1"
}

@tardigrde/openclaw-dropbox-plugin

OpenClaw plugin that provides Dropbox file management tools — list, download, upload, share, search, and delete files.

Prerequisites

  1. Dropbox App — Create an app at Dropbox App Console
    • Choose "Full Dropbox" or "App folder" access
    • Generate an access token
  2. OpenClaw installed and configured

Installation

openclaw plugins install @tardigrde/openclaw-dropbox-plugin

Configuration

Set your Dropbox access token as an environment variable:

export DROPBOX_ACCESS_TOKEN="sl.xxxxxxxxxxxxxxxxxxxxx"

Or add it to your OpenClaw configuration in openclaw.json:

{
  "plugins": {
    "dropbox": {
      "env": {
        "DROPBOX_ACCESS_TOKEN": "sl.xxxxxxxxxxxxxxxxxxxxx"
      },
      "config": {
        "maxDownloadBytes": 104857600
      }
    }
  }
}

Tools

dropbox_list

List the contents of a Dropbox folder.

Parameters:

  • path (string, required) — Folder path (e.g., /Documents, "" for root)
  • recursive (boolean, optional) — List subdirectories recursively

Returns: Array of entries with name, path, type (file/folder), size, modified.

→ dropbox_list path="/Documents"
← [name: "report.pdf", type: "file", size: "2.3 MB", ...]

dropbox_download

Download a file from Dropbox. Returns base64-encoded content.

Parameters:

  • path (string, required) — File path (e.g., /Documents/report.pdf)
  • maxBytes (number, optional) — Max allowed file size in bytes

Returns: name, size, data (base64), encoding.

→ dropbox_download path="/Documents/report.pdf"
← [name: "report.pdf", size: "2.3 MB", data: "JVBERi0...", encoding: "base64"]

dropbox_upload

Upload a file to Dropbox.

Parameters:

  • path (string, required) — Destination path including filename (e.g., /Documents/new-report.pdf)
  • content (string, required) — File content as base64-encoded string
  • mode (string, optional) — "add" (default) or "overwrite"

Returns: name, path, size, modified.

→ dropbox_upload path="/Documents/new-report.pdf" content="SGVsbG8=" mode="add"
← [name: "new-report.pdf", path: "/Documents/new-report.pdf", ...]

dropbox_share

Create a public share link for a file or folder.

Parameters:

  • path (string, required) — Path to share (e.g., /Documents/report.pdf)

Returns: url (public link), name.

→ dropbox_share path="/Documents/report.pdf"
← [url: "https://www.dropbox.com/s/...", name: "report.pdf"]

dropbox_search

Search for files and folders by name.

Parameters:

  • query (string, required) — Search query
  • path (string, optional) — Limit search to a folder
  • maxResults (number, optional) — Max results to return (default: 20)

Returns: Array of matches with name, path, type, size.

→ dropbox_search query="report"
← [matches: [{name: "report.pdf", path: "/Documents/report.pdf", ...}]]

dropbox_delete

Delete a file or folder from Dropbox. The item is moved to trash.

Parameters:

  • path (string, required) — Path to delete (e.g., /Documents/old-report.pdf)

Returns: deleted (boolean), name, path, type.

→ dropbox_delete path="/Documents/old-report.pdf"
← [deleted: true, name: "old-report.pdf", type: "file"]

Dropbox App Setup

  1. Go to Dropbox App Console
  2. Click Create App
  3. Choose Scoped access and select access type:
    • Full Dropbox — access to entire Dropbox (recommended for personal use)
    • App folder — access limited to a single folder
  4. Name your app (e.g., openclaw-dropbox)
  5. In Permissions tab, enable:
    • files.metadata.read
    • files.content.read
    • files.content.write
    • sharing.write
  6. Click Submit
  7. In Settings tab, click Generate access token
  8. Copy the token and set it as DROPBOX_ACCESS_TOKEN

Troubleshooting

"DROPBOX_ACCESS_TOKEN environment variable is required"

  • Set the environment variable before starting OpenClaw

"Dropbox API error 401"

  • Access token is invalid or expired. Generate a new one from the App Console

"Dropbox API error 409"

  • Path not found. Verify the path starts with / and the file exists

"File size exceeds limit"

  • The file is larger than maxDownloadBytes. Increase the limit in config or download a smaller file

Upload fails with large files

  • This plugin uses the simple upload endpoint (up to 150 MB). For larger files, chunked upload is needed (not yet implemented)

Development

npm ci              # Install dependencies
npm run typecheck   # Type-check without emitting
npx tsc             # Full compile to dist/
npm test            # Run vitest (watch mode)
npm test -- --run   # Run vitest once

License

MIT