dropbox-automation

Functionally, this skill's claimed capabilities (search, upload/download, sharing, folder management) align with the operations it documents. The primary security concern is the use of a third-party MCP (rube.app) as the intermediary for all Dropbox interactions and connection management: OAuth tokens, file contents, and metadata will be brokered by that MCP rather than exclusively between the user and Dropbox. That design creates a high-trust dependency and a potential credential/data-exfiltration vector. There are no direct download-and-execute or obfuscated code patterns in the document, and no hard-coded secrets. Overall this is not evidently malware, but it is a supply-chain/credential-forwarding risk that warrants caution: validate the MCP operator, the storage and handling of OAuth tokens, request minimal OAuth scopes, require explicit per-action confirmations for destructive operations, and prefer direct official API integrations when possible.