Yixiaoer Rotator Skill
PassAudited by ClawScan on May 10, 2026.
Overview
The skill appears aligned with its advertised account-rotation purpose, but it uses a Yixiaoer API key, runs a helper from another skill, and saves local account-rotation state.
Before installing, verify the separate yixiaoer-skill dependency and the installed script version, use a scoped/revocable Yixiaoer API key, and check the rotation state before publishing. The provided script artifact is truncated, so inspect the installed file directly if you need high assurance.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A Yixiaoer API key may allow account access and publishing workflows through the related API tooling.
The skill requires a provider API key and member ID even though registry requirements list no required credentials or env vars.
export YIXIAOER_API_KEY="你的蚁小二 API Key" export YIXIAOER_MEMBER_ID="你的成员 ID"
Use a scoped and revocable API key if available, set it only for sessions that need this skill, and confirm the permissions granted by the key.
If the referenced helper skill or path is tampered with, the sync command could run unexpected code with the current environment.
The script shells out to Node to run another skill's API wrapper.
const { execSync } = require('child_process'); ... const result = execSync(`node "${scriptPath}" --payload='${payloadStr.replace(/'/g, "'\\''")}'`, {Inspect and trust the installed yixiaoer-skill dependency before running sync; a safer implementation would use execFileSync/spawn arguments or a direct library/API call instead of a shell string.
The security of this rotator partly depends on the separate yixiaoer-skill package.
The skill depends on a separate package whose contents are not included in this artifact set, and the visible code later invokes that dependency.
本技能依赖 `yixiaoer-skill`,请确保已安装: clawhub install yixiaoer-skill
Review the dependency source and installed path before using this skill with real account credentials.
Running the example in a real workflow could publish content using the selected account.
The documentation shows using the rotated account ID in a publish API workflow.
"action": "publish",
"platforms": ["哔哩哔哩"],
"accountForms": [{"platformAccountId": "'$ACCOUNT_ID'"}]Require explicit user review before publishing, and verify the selected platform/account from `status` or `accounts <平台名>` before sending content.
Future account selection depends on this local state; stale or manually modified state could cause the wrong account to be chosen.
The skill stores account metadata and rotation indices in a persistent local JSON state file.
const STATE_FILE = path.join(__dirname, 'account-rotator-state.json'); ... fs.writeFileSync(STATE_FILE, JSON.stringify(state, null, 2) + '\n');
Keep the state file protected, inspect `status` before publishing, and reset or resync if the account order looks wrong.