{ "schemaVersion": "1.0", "item": { "slug": "stealth-proxy", "name": "Stealth Proxy", "source": "tencent", "type": "skill", "category": "安全合规", "sourceUrl": "https://clawhub.ai/h4gen/stealth-proxy", "canonicalUrl": "https://clawhub.ai/h4gen/stealth-proxy", "targetPlatform": "OpenClaw" }, "install": { "downloadMode": "redirect", "downloadUrl": "/downloads/stealth-proxy", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=stealth-proxy", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "installMethod": "Manual import", "extraction": "Extract archive", "prerequisites": [ "OpenClaw" ], "packageFormat": "ZIP package", "includedAssets": [ "SKILL.md", "references/inspected-skills.md" ], "primaryDoc": "SKILL.md", "quickSetup": [ "Download the package from Yavira.", "Extract the archive and review SKILL.md first.", "Import or place the package into your OpenClaw setup." ], "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "sourceHealth": { "source": "tencent", "slug": "stealth-proxy", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-04-29T17:09:47.038Z", "expiresAt": "2026-05-06T17:09:47.038Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=stealth-proxy", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=stealth-proxy", "contentDisposition": "attachment; filename=\"stealth-proxy-1.0.0.zip\"", "redirectLocation": null, "bodySnippet": null, "slug": "stealth-proxy" }, "scope": "item", "summary": "Item download looks usable.", "detail": "Yavira can redirect you to the upstream package for this item.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/stealth-proxy" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] }, "downloadPageUrl": "https://openagent3.xyz/downloads/stealth-proxy", "agentPageUrl": "https://openagent3.xyz/skills/stealth-proxy/agent", "manifestUrl": "https://openagent3.xyz/skills/stealth-proxy/agent.json", "briefUrl": "https://openagent3.xyz/skills/stealth-proxy/agent.md" }, "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "documentation": { "source": "clawhub", "primaryDoc": "SKILL.md", "sections": [ { "title": "Purpose", "body": "Establish a secure, verified path when access is blocked by geo/IP policy, then resume the blocked workflow safely and audibly.\n\nPrimary outcomes:\n\ndetect and classify block behavior,\nswitch to a valid tunnel path with explicit user consent,\nverify public IP, region, and DNS safety posture,\nre-run blocked task with bounded retries,\nreturn an auditable connection report.\n\nThis is an orchestration skill. It does not guarantee legal access to restricted services." }, { "title": "Required Installed Skills", "body": "Core diagnostics/orchestration:\n\nshell-scripting (inspected latest: 1.0.0)\ncurl-http (inspected latest: 1.0.0)\n\nTunnel path options (at least one):\n\nprovider CLI path (NordVPN / Mullvad / ExpressVPN) via shell orchestration\nwireguard (inspected latest: 1.0.0)\ntailscale (inspected latest: 1.0.0)\n\nSafety and verification extensions:\n\ndns (inspected latest: 1.0.0)\nipinfo (inspected latest: 1.0.0)\nmoltguard (inspected latest: 6.0.2, optional but recommended)\n\nInstall/update:\n\nnpx -y clawhub@latest install shell-scripting\nnpx -y clawhub@latest install curl-http\nnpx -y clawhub@latest install wireguard\nnpx -y clawhub@latest install tailscale\nnpx -y clawhub@latest install dns\nnpx -y clawhub@latest install ipinfo\nnpx -y clawhub@latest install moltguard\nnpx -y clawhub@latest update --all\n\nVerify:\n\nnpx -y clawhub@latest list" }, { "title": "Required Credentials and Access", "body": "Required access:\n\nvalid account/session for selected tunnel path\nlocal executable for selected path (nordvpn/mullvad/expressvpn or wg or tailscale)\n\nOptional keys:\n\nMOLTGUARD_API_KEY (if MoltGuard remote detection mode is enabled)\nIPINFO_TOKEN (optional, higher quota geolocation verification)\n\nPreflight:\n\ncommand -v nordvpn || command -v mullvad || command -v expressvpn || command -v wg || command -v tailscale\necho \"$MOLTGUARD_API_KEY\" | wc -c\necho \"$IPINFO_TOKEN\" | wc -c\n\nMandatory behavior:\n\nNever fail silently on missing keys/auth.\nAlways return MissingAPIKeys and/or MissingCredentials with blocked stages.\nContinue with non-blocked diagnostics and mark output as Partial when needed." }, { "title": "Compliance Gate (Mandatory)", "body": "Before any tunnel switch, confirm and record:\n\nuser authorization to modify network routing,\nacknowledgment of legal/terms responsibility,\nstated purpose for geo-switch (testing, parity checks, privacy hardening).\n\nIf acknowledgment is missing:\n\ndo not execute switching commands,\nreturn diagnostics-only output." }, { "title": "Inputs the LM Must Collect First", "body": "blocked_url or blocked_endpoint\nblocked_task_name (example: prediction-market-arbitrage)\ntarget_region\ntunnel_path (provider-cli, wireguard, tailscale-exit-node)\nprovider_or_profile (provider name, WG profile, or exit-node name)\nrisk_mode (diagnose-only, switch-and-verify, switch-and-resume)\nkill_switch_required (yes/no)\nmax_retries (default: 2)\n\nDo not execute switching before tunnel path and target region are explicit." }, { "title": "shell-scripting", "body": "Use as control plane:\n\nexecutable detection,\nconnect/disconnect wrappers,\nretry and cleanup logic,\ndeterministic logging." }, { "title": "curl-http", "body": "Use for protocol-level evidence:\n\nbaseline and post-switch HTTP checks,\n403/geo-block signature capture,\nheader and status comparisons." }, { "title": "wireguard", "body": "Use when deterministic profile-based tunnels are required:\n\ncontrolled profile activation,\nroute and AllowedIPs sanity expectations,\nDNS handling awareness in tunnel config." }, { "title": "tailscale", "body": "Use for tailnet and exit-node path:\n\ntailscale up --exit-node=,\nconnectivity validation via tailscale ping/status,\nfast fallback among available exit nodes." }, { "title": "dns", "body": "Use for DNS leak and propagation sanity guidance:\n\nresolver checks,\nauthoritative vs cached record reasoning,\nexplicit leak-risk interpretation when DNS path remains local." }, { "title": "ipinfo", "body": "Use for geo-attestation:\n\nvalidate post-switch country/region/ASN,\ncompare with baseline,\nprovide confidence level for geo-alignment." }, { "title": "moltguard", "body": "Use as prompt/tool security guardrail:\n\nsanitize sensitive prompt/tool content,\ndetect prompt-injection patterns in fetched content,\nreduce accidental secret leakage in workflow logs.\n\nImportant limitation:\n\nMoltGuard is not a VPN manager and not a full network leak detector." }, { "title": "Canonical Causal Signal Chain", "body": "Block Detection\n\nbaseline request to blocked endpoint,\nclassify as geo_block, ip_block, auth_block, or other_http_error.\n\nBaseline Snapshot\n\ncapture pre-switch public IP, country, and resolver context.\n\nTunnel Path Selection\n\nchoose one path:\n\nprovider CLI,\nWireGuard profile,\nTailscale exit node.\n\n\nverify binary/auth/profile availability before connect.\n\nTunnel Activation\n\nconnect selected path,\nconfirm session state from tool output,\nenforce kill-switch preference if available.\n\nGeo and IP Verification\n\ncompare pre/post public IP,\nverify target country best-effort (ipinfo.io + optional token),\nrecord confidence if country mismatches.\n\nDNS Safety Check\n\ncheck resolver behavior and detect obvious DNS bypass patterns,\nflag risk if DNS appears untunneled in full-tunnel expectation.\n\nAccess Retest\n\nretry blocked endpoint,\ncompare HTTP status/content signatures against baseline.\n\nTask Resumption\n\nif retest passes, resume blocked workflow automatically (switch-and-resume mode),\notherwise rotate endpoint/profile once within retry budget and stop with evidence.\n\nSuggested verification commands:\n\ncurl -s ifconfig.me\ncurl -s https://ipinfo.io/json\ncurl -I \"${BLOCKED_URL}\"" }, { "title": "Leak and Safety Checks", "body": "Minimum checks before success:\n\npublic IP changed,\ntarget country aligned (or deviation explicitly explained),\nendpoint moved from blocked to reachable/expected-auth state,\nDNS path does not contradict tunnel expectations,\nno unresolved high-risk MoltGuard warning (if enabled).\n\nIf kill-switch is required but not supported/verified:\n\nreturn Needs Review and avoid high-risk task resumption." }, { "title": "Output Contract", "body": "Always return:\n\nBlockDiagnosis\n\nblock type\nbaseline HTTP evidence\n\n\n\nTunnelPath\n\nselected path and rationale\nprovider/profile/exit node\n\n\n\nTunnelStatus\n\nconnect state\npre/post IP\ntarget region match\n\n\n\nDNSSafety\n\nresolver observation\nleak risk assessment (low|medium|high)\n\n\n\nSecurityStatus\n\nMoltGuard mode (enabled, gateway-only, disabled)\nunresolved warnings\n\n\n\nAccessRetest\n\npost-switch result\nimprovement vs baseline\n\n\n\nTaskResumption\n\nresumed or blocked\nreason\n\n\n\nNextActions\n\nexact commands or account steps for unresolved blockers" }, { "title": "Quality Gates", "body": "Before final output, verify:\n\ndiagnosis is evidence-based,\npre/post network evidence is present,\nretry count respected,\nmissing credentials/keys clearly disclosed,\nprovider/path limitations explicitly stated.\n\nIf any gate fails, return Needs Revision with concrete missing checks." }, { "title": "Failure Handling", "body": "Missing tunnel binary/profile: return MissingCredentials with concrete install/profile steps.\nMissing VPN account/auth session: return MissingCredentials, skip switching stage.\nMissing MOLTGUARD_API_KEY in detection mode: return MissingAPIKeys, continue with gateway-only or disabled mode.\nTunnel connected but geo mismatch persists: one bounded retry with different endpoint/profile, then stop.\nEndpoint still blocked after retry: return full evidence bundle and manual-decision path." }, { "title": "Guardrails", "body": "Never claim legal or terms compliance on behalf of user.\nNever claim secure state without pre/post verification.\nNever unbounded-loop region hopping.\nNever hide ambiguous or failed access states." } ], "body": "Purpose\n\nEstablish a secure, verified path when access is blocked by geo/IP policy, then resume the blocked workflow safely and audibly.\n\nPrimary outcomes:\n\ndetect and classify block behavior,\nswitch to a valid tunnel path with explicit user consent,\nverify public IP, region, and DNS safety posture,\nre-run blocked task with bounded retries,\nreturn an auditable connection report.\n\nThis is an orchestration skill. It does not guarantee legal access to restricted services.\n\nRequired Installed Skills\n\nCore diagnostics/orchestration:\n\nshell-scripting (inspected latest: 1.0.0)\ncurl-http (inspected latest: 1.0.0)\n\nTunnel path options (at least one):\n\nprovider CLI path (NordVPN / Mullvad / ExpressVPN) via shell orchestration\nwireguard (inspected latest: 1.0.0)\ntailscale (inspected latest: 1.0.0)\n\nSafety and verification extensions:\n\ndns (inspected latest: 1.0.0)\nipinfo (inspected latest: 1.0.0)\nmoltguard (inspected latest: 6.0.2, optional but recommended)\n\nInstall/update:\n\nnpx -y clawhub@latest install shell-scripting\nnpx -y clawhub@latest install curl-http\nnpx -y clawhub@latest install wireguard\nnpx -y clawhub@latest install tailscale\nnpx -y clawhub@latest install dns\nnpx -y clawhub@latest install ipinfo\nnpx -y clawhub@latest install moltguard\nnpx -y clawhub@latest update --all\n\n\nVerify:\n\nnpx -y clawhub@latest list\n\nRequired Credentials and Access\n\nRequired access:\n\nvalid account/session for selected tunnel path\nlocal executable for selected path (nordvpn/mullvad/expressvpn or wg or tailscale)\n\nOptional keys:\n\nMOLTGUARD_API_KEY (if MoltGuard remote detection mode is enabled)\nIPINFO_TOKEN (optional, higher quota geolocation verification)\n\nPreflight:\n\ncommand -v nordvpn || command -v mullvad || command -v expressvpn || command -v wg || command -v tailscale\necho \"$MOLTGUARD_API_KEY\" | wc -c\necho \"$IPINFO_TOKEN\" | wc -c\n\n\nMandatory behavior:\n\nNever fail silently on missing keys/auth.\nAlways return MissingAPIKeys and/or MissingCredentials with blocked stages.\nContinue with non-blocked diagnostics and mark output as Partial when needed.\nCompliance Gate (Mandatory)\n\nBefore any tunnel switch, confirm and record:\n\nuser authorization to modify network routing,\nacknowledgment of legal/terms responsibility,\nstated purpose for geo-switch (testing, parity checks, privacy hardening).\n\nIf acknowledgment is missing:\n\ndo not execute switching commands,\nreturn diagnostics-only output.\nInputs the LM Must Collect First\nblocked_url or blocked_endpoint\nblocked_task_name (example: prediction-market-arbitrage)\ntarget_region\ntunnel_path (provider-cli, wireguard, tailscale-exit-node)\nprovider_or_profile (provider name, WG profile, or exit-node name)\nrisk_mode (diagnose-only, switch-and-verify, switch-and-resume)\nkill_switch_required (yes/no)\nmax_retries (default: 2)\n\nDo not execute switching before tunnel path and target region are explicit.\n\nTool Responsibilities\nshell-scripting\n\nUse as control plane:\n\nexecutable detection,\nconnect/disconnect wrappers,\nretry and cleanup logic,\ndeterministic logging.\ncurl-http\n\nUse for protocol-level evidence:\n\nbaseline and post-switch HTTP checks,\n403/geo-block signature capture,\nheader and status comparisons.\nwireguard\n\nUse when deterministic profile-based tunnels are required:\n\ncontrolled profile activation,\nroute and AllowedIPs sanity expectations,\nDNS handling awareness in tunnel config.\ntailscale\n\nUse for tailnet and exit-node path:\n\ntailscale up --exit-node=,\nconnectivity validation via tailscale ping/status,\nfast fallback among available exit nodes.\ndns\n\nUse for DNS leak and propagation sanity guidance:\n\nresolver checks,\nauthoritative vs cached record reasoning,\nexplicit leak-risk interpretation when DNS path remains local.\nipinfo\n\nUse for geo-attestation:\n\nvalidate post-switch country/region/ASN,\ncompare with baseline,\nprovide confidence level for geo-alignment.\nmoltguard\n\nUse as prompt/tool security guardrail:\n\nsanitize sensitive prompt/tool content,\ndetect prompt-injection patterns in fetched content,\nreduce accidental secret leakage in workflow logs.\n\nImportant limitation:\n\nMoltGuard is not a VPN manager and not a full network leak detector.\nCanonical Causal Signal Chain\nBlock Detection\nbaseline request to blocked endpoint,\nclassify as geo_block, ip_block, auth_block, or other_http_error.\nBaseline Snapshot\ncapture pre-switch public IP, country, and resolver context.\nTunnel Path Selection\nchoose one path:\nprovider CLI,\nWireGuard profile,\nTailscale exit node.\nverify binary/auth/profile availability before connect.\nTunnel Activation\nconnect selected path,\nconfirm session state from tool output,\nenforce kill-switch preference if available.\nGeo and IP Verification\ncompare pre/post public IP,\nverify target country best-effort (ipinfo.io + optional token),\nrecord confidence if country mismatches.\nDNS Safety Check\ncheck resolver behavior and detect obvious DNS bypass patterns,\nflag risk if DNS appears untunneled in full-tunnel expectation.\nAccess Retest\nretry blocked endpoint,\ncompare HTTP status/content signatures against baseline.\nTask Resumption\nif retest passes, resume blocked workflow automatically (switch-and-resume mode),\notherwise rotate endpoint/profile once within retry budget and stop with evidence.\n\nSuggested verification commands:\n\ncurl -s ifconfig.me\ncurl -s https://ipinfo.io/json\ncurl -I \"${BLOCKED_URL}\"\n\nLeak and Safety Checks\n\nMinimum checks before success:\n\npublic IP changed,\ntarget country aligned (or deviation explicitly explained),\nendpoint moved from blocked to reachable/expected-auth state,\nDNS path does not contradict tunnel expectations,\nno unresolved high-risk MoltGuard warning (if enabled).\n\nIf kill-switch is required but not supported/verified:\n\nreturn Needs Review and avoid high-risk task resumption.\nOutput Contract\n\nAlways return:\n\nBlockDiagnosis\n\nblock type\nbaseline HTTP evidence\n\nTunnelPath\n\nselected path and rationale\nprovider/profile/exit node\n\nTunnelStatus\n\nconnect state\npre/post IP\ntarget region match\n\nDNSSafety\n\nresolver observation\nleak risk assessment (low|medium|high)\n\nSecurityStatus\n\nMoltGuard mode (enabled, gateway-only, disabled)\nunresolved warnings\n\nAccessRetest\n\npost-switch result\nimprovement vs baseline\n\nTaskResumption\n\nresumed or blocked\nreason\n\nNextActions\n\nexact commands or account steps for unresolved blockers\nQuality Gates\n\nBefore final output, verify:\n\ndiagnosis is evidence-based,\npre/post network evidence is present,\nretry count respected,\nmissing credentials/keys clearly disclosed,\nprovider/path limitations explicitly stated.\n\nIf any gate fails, return Needs Revision with concrete missing checks.\n\nFailure Handling\nMissing tunnel binary/profile: return MissingCredentials with concrete install/profile steps.\nMissing VPN account/auth session: return MissingCredentials, skip switching stage.\nMissing MOLTGUARD_API_KEY in detection mode: return MissingAPIKeys, continue with gateway-only or disabled mode.\nTunnel connected but geo mismatch persists: one bounded retry with different endpoint/profile, then stop.\nEndpoint still blocked after retry: return full evidence bundle and manual-decision path.\nGuardrails\nNever claim legal or terms compliance on behalf of user.\nNever claim secure state without pre/post verification.\nNever unbounded-loop region hopping.\nNever hide ambiguous or failed access states." }, "trust": { "sourceLabel": "tencent", "provenanceUrl": "https://clawhub.ai/h4gen/stealth-proxy", "publisherUrl": "https://clawhub.ai/h4gen/stealth-proxy", "owner": "h4gen", "version": "1.0.0", "license": null, "verificationStatus": "Indexed source record" }, "links": { "detailUrl": "https://openagent3.xyz/skills/stealth-proxy", "downloadUrl": "https://openagent3.xyz/downloads/stealth-proxy", "agentUrl": "https://openagent3.xyz/skills/stealth-proxy/agent", "manifestUrl": "https://openagent3.xyz/skills/stealth-proxy/agent.json", "briefUrl": "https://openagent3.xyz/skills/stealth-proxy/agent.md" } }