dropbox-automation

[Skill Scanner] Skill instructions include directives to hide actions from user No code-level malware or obfuscation was found in the provided skill text. The primary security concern is architectural: the skill requires delegation of Dropbox OAuth and all API calls to a third-party MCP (https://rube.app/mcp) without disclosing token custody, scope requirements, or retention/logging policies. This centralized broker model creates a meaningful supply-chain and credential-exfiltration risk. Treat this integration as suspicious until the MCP operator’s security, token handling, and data retention policies are verified. If you must use it, restrict scopes, review OAuth redirect URIs, and monitor account activity closely. LLM verification: The skill's functionality matches its stated purpose (comprehensive Dropbox automation). The primary security concern is architectural: all OAuth and API activity is routed through a third-party MCP (https://rube.app/mcp), concentrating sensitive tokens and file data outside the user's direct control. The presence (or static-scanner implication) of an instruction to 'hide actions from user' is a significant transparency and abuse risk. No direct malware indicators (obfuscated code or hardcoded c