Dropbox Dash MCP Server

MCP server exposing Dropbox Dash search and file metadata via stdio or SSE

Overall Score82/100

Score Breakdown

Authentication & Identity1 finding↓17/25

Tool Schema Quality1 finding↓21/25

Permission Granularity20/20

LLM Safety1 finding↓11/15

Data Exposure1 finding↓8/10

Maintenance & Trust5/5

Server Info

Package: mcp-server-dash
Registry: pypi
Repository: dropbox/mcp-server-dash
Maintainer: DropboxVendor
Category: Document Management
Tags: filesstoragedropbox
Last Scanned: 7 Apr 2026

Findings

4 issues

Authentication & Identity

MEDIUMHTTP/SSE transport supports per-request credentials

Supports both stdio and SSE/streamable-http server modes (via --mode flag). Uses Dropbox PKCE OAuth flow (RFC 7636) for user authentication, with tokens persisted locally via keyring or file. No MCP-level OAuth spec implementation. The auth flow is tool-driven: LLM calls dash_get_auth_url, user authorizes in browser, then LLM calls dash_authenticate with the code. SSL support available via --ssl-keyfile/--ssl-certfile flags.

Remediation

Implement the MCP OAuth spec so users authenticate directly without platform mediation.

Tool Schema Quality

MEDIUMOnly 1 of 4 schemas have parameter constraints

Most schemas lack maxLength, enum, or pattern constraints on string parameters.

Remediation

Add constraints to string parameters, especially on write operations.

LLM Safety

HIGHTool descriptions contain instructional language

Descriptions include directives that could influence LLM behavior beyond tool selection.

Remediation

Remove instructional language. Descriptions should be purely factual.

Data Exposure

LOWNo field selection on responses

Responses return full records rather than projected fields.

Remediation

Implement field selection to return only relevant fields.

Tools

4 total

Name	Description	Risk
dash_get_auth_url	Start Dropbox OAuth with PKCE; returns the authorization URL.	read
dash_authenticate	Complete Dropbox OAuth using the one-time authorization code with PKCE.	admin
dash_company_search	Search company content indexed by Dropbox Dash.	read
dash_get_file_details	Fetch detailed metadata (and optional content snippet) for a result UUID.	read

Deploy Dropbox Dash MCP Server securely

CompleteFlow adds per-user authentication, permission scoping, and audit logging to any MCP server out of the box.

Deploy on CompleteFlow