Xiaoya Download
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: xiaoya-download Version: 1.3.6 The XiaoyaDownload skill is a utility for searching and downloading media from a Xiaoya Alist instance. The core logic in `scripts/xiaoya_download.py` uses `rsync` to copy files from a local WebDAV mount to a designated download directory. Notably, the script implements multiple layers of security to prevent path traversal attacks, including null byte checks, explicit '..' segment filtering, and strict containment validation using `pathlib.relative_to()`. It executes system commands safely via `subprocess.run` with argument lists rather than shell strings, and there is no evidence of data exfiltration or malicious prompt injection in `SKILL.md`.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A selected download can consume disk space or overwrite/update same-named files in the configured download directory.
The skill invokes the local rsync tool to copy files from a WebDAV mount to the configured download directory. This is central to the stated purpose and uses argument lists rather than shell execution, but it can create or update local files.
cmd = ["rsync", "--progress", "--partial", "-av", webdav_path, dst]; result = subprocess.run(cmd, capture_output=True, text=True, timeout=7200)
Use a dedicated DOWNLOAD_DIR, verify the selected search result before copying, and keep backups for any directory where overwrites would matter.
The skill may fail until the user installs the needed dependencies and creates the .env configuration.
The documentation requires local tools and a Python package even though the registry metadata lists no required binaries, environment variables, or install spec. This is an under-declared setup requirement, not hidden behavior.
- **rsync**(系统命令,用于 WebDAV 复制) - **Python 3 + requests 库**(`pip3 install requests`)
Install rsync and requests from trusted package sources, create the .env file yourself, and confirm paths before running copy operations.