Xiaoya Download
AdvisoryAudited by Static analysis on May 6, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A selected download can consume disk space or overwrite/update same-named files in the configured download directory.
The skill invokes the local rsync tool to copy files from a WebDAV mount to the configured download directory. This is central to the stated purpose and uses argument lists rather than shell execution, but it can create or update local files.
cmd = ["rsync", "--progress", "--partial", "-av", webdav_path, dst]; result = subprocess.run(cmd, capture_output=True, text=True, timeout=7200)
Use a dedicated DOWNLOAD_DIR, verify the selected search result before copying, and keep backups for any directory where overwrites would matter.
The skill may fail until the user installs the needed dependencies and creates the .env configuration.
The documentation requires local tools and a Python package even though the registry metadata lists no required binaries, environment variables, or install spec. This is an under-declared setup requirement, not hidden behavior.
- **rsync**(系统命令,用于 WebDAV 复制) - **Python 3 + requests 库**(`pip3 install requests`)
Install rsync and requests from trusted package sources, create the .env file yourself, and confirm paths before running copy operations.