Yixiaoer Rotator Skill
PassAudited by VirusTotal on May 10, 2026.
Overview
Type: OpenClaw Skill Name: yixiaoer-rotator-skill Version: 1.0.5 The skill is a utility for rotating Yixiaoer platform accounts to manage multi-account posting. The core logic in `scripts/account-rotator.js` manages account indices in a local JSON file and interacts with a secondary skill (`yixiaoer-skill`) via shell commands. While it uses `execSync`, it includes basic security measures such as regex validation for API keys and single-quote escaping for payloads to mitigate shell injection risks, showing no signs of intentional malice or data exfiltration.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A Yixiaoer API key may allow account access and publishing workflows through the related API tooling.
The skill requires a provider API key and member ID even though registry requirements list no required credentials or env vars.
export YIXIAOER_API_KEY="你的蚁小二 API Key" export YIXIAOER_MEMBER_ID="你的成员 ID"
Use a scoped and revocable API key if available, set it only for sessions that need this skill, and confirm the permissions granted by the key.
If the referenced helper skill or path is tampered with, the sync command could run unexpected code with the current environment.
The script shells out to Node to run another skill's API wrapper.
const { execSync } = require('child_process'); ... const result = execSync(`node "${scriptPath}" --payload='${payloadStr.replace(/'/g, "'\\''")}'`, {Inspect and trust the installed yixiaoer-skill dependency before running sync; a safer implementation would use execFileSync/spawn arguments or a direct library/API call instead of a shell string.
The security of this rotator partly depends on the separate yixiaoer-skill package.
The skill depends on a separate package whose contents are not included in this artifact set, and the visible code later invokes that dependency.
本技能依赖 `yixiaoer-skill`,请确保已安装: clawhub install yixiaoer-skill
Review the dependency source and installed path before using this skill with real account credentials.
Running the example in a real workflow could publish content using the selected account.
The documentation shows using the rotated account ID in a publish API workflow.
"action": "publish",
"platforms": ["哔哩哔哩"],
"accountForms": [{"platformAccountId": "'$ACCOUNT_ID'"}]Require explicit user review before publishing, and verify the selected platform/account from `status` or `accounts <平台名>` before sending content.
Future account selection depends on this local state; stale or manually modified state could cause the wrong account to be chosen.
The skill stores account metadata and rotation indices in a persistent local JSON state file.
const STATE_FILE = path.join(__dirname, 'account-rotator-state.json'); ... fs.writeFileSync(STATE_FILE, JSON.stringify(state, null, 2) + '\n');
Keep the state file protected, inspect `status` before publishing, and reset or resync if the account order looks wrong.