Xiaoya Download
PassAudited by ClawScan on May 6, 2026.
Overview
The skill matches its stated purpose of searching a configured XiaoYa/Alist server and copying selected media locally, but users should verify local paths and dependencies before use.
This appears safe for its stated downloader purpose. Before installing, make sure you trust the configured XiaoYa/Alist host, install dependencies from trusted sources, and set DOWNLOAD_DIR and WEBDAV_MOUNT to directories you are comfortable letting the skill read from and write to.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A selected download can consume disk space or overwrite/update same-named files in the configured download directory.
The skill invokes the local rsync tool to copy files from a WebDAV mount to the configured download directory. This is central to the stated purpose and uses argument lists rather than shell execution, but it can create or update local files.
cmd = ["rsync", "--progress", "--partial", "-av", webdav_path, dst]; result = subprocess.run(cmd, capture_output=True, text=True, timeout=7200)
Use a dedicated DOWNLOAD_DIR, verify the selected search result before copying, and keep backups for any directory where overwrites would matter.
The skill may fail until the user installs the needed dependencies and creates the .env configuration.
The documentation requires local tools and a Python package even though the registry metadata lists no required binaries, environment variables, or install spec. This is an under-declared setup requirement, not hidden behavior.
- **rsync**(系统命令,用于 WebDAV 复制) - **Python 3 + requests 库**(`pip3 install requests`)
Install rsync and requests from trusted package sources, create the .env file yourself, and confirm paths before running copy operations.