dropbox

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.70). These are mostly official Dropbox API and documentation endpoints (not inherently malicious), but Dropbox content/shared links and personal file-hosting URLs can carry arbitrary files (including executables or malicious PDFs) and are commonly abused for malware distribution, so unknown shared links should be treated as moderately high risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The SKILL.md explicitly includes endpoints that ingest and return arbitrary external content (e.g., files/save_url which downloads an arbitrary URL into Dropbox and files/download / files/get_temporary_link which retrieve user-uploaded or shared files), so untrusted third-party content can be fetched and then read or acted on by the agent.