# Send Stealth Proxy to your agent
Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.
## Fast path
- Download the package from Yavira.
- Extract it into a folder your agent can access.
- Paste one of the prompts below and point your agent at the extracted folder.
## Suggested prompts
### New install

```text
I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete.
```
### Upgrade existing

```text
I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run.
```
## Machine-readable fields
```json
{
  "schemaVersion": "1.0",
  "item": {
    "slug": "stealth-proxy",
    "name": "Stealth Proxy",
    "source": "tencent",
    "type": "skill",
    "category": "安全合规",
    "sourceUrl": "https://clawhub.ai/h4gen/stealth-proxy",
    "canonicalUrl": "https://clawhub.ai/h4gen/stealth-proxy",
    "targetPlatform": "OpenClaw"
  },
  "install": {
    "downloadUrl": "/downloads/stealth-proxy",
    "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=stealth-proxy",
    "sourcePlatform": "tencent",
    "targetPlatform": "OpenClaw",
    "packageFormat": "ZIP package",
    "primaryDoc": "SKILL.md",
    "includedAssets": [
      "SKILL.md",
      "references/inspected-skills.md"
    ],
    "downloadMode": "redirect",
    "sourceHealth": {
      "source": "tencent",
      "slug": "stealth-proxy",
      "status": "healthy",
      "reason": "direct_download_ok",
      "recommendedAction": "download",
      "checkedAt": "2026-04-29T17:09:47.038Z",
      "expiresAt": "2026-05-06T17:09:47.038Z",
      "httpStatus": 200,
      "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=stealth-proxy",
      "contentType": "application/zip",
      "probeMethod": "head",
      "details": {
        "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=stealth-proxy",
        "contentDisposition": "attachment; filename=\"stealth-proxy-1.0.0.zip\"",
        "redirectLocation": null,
        "bodySnippet": null,
        "slug": "stealth-proxy"
      },
      "scope": "item",
      "summary": "Item download looks usable.",
      "detail": "Yavira can redirect you to the upstream package for this item.",
      "primaryActionLabel": "Download for OpenClaw",
      "primaryActionHref": "/downloads/stealth-proxy"
    },
    "validation": {
      "installChecklist": [
        "Use the Yavira download entry.",
        "Review SKILL.md after the package is downloaded.",
        "Confirm the extracted package contains the expected setup assets."
      ],
      "postInstallChecks": [
        "Confirm the extracted package includes the expected docs or setup files.",
        "Validate the skill or prompts are available in your target agent workspace.",
        "Capture any manual follow-up steps the agent could not complete."
      ]
    }
  },
  "links": {
    "detailUrl": "https://openagent3.xyz/skills/stealth-proxy",
    "downloadUrl": "https://openagent3.xyz/downloads/stealth-proxy",
    "agentUrl": "https://openagent3.xyz/skills/stealth-proxy/agent",
    "manifestUrl": "https://openagent3.xyz/skills/stealth-proxy/agent.json",
    "briefUrl": "https://openagent3.xyz/skills/stealth-proxy/agent.md"
  }
}
```
## Documentation

### Purpose

Establish a secure, verified path when access is blocked by geo/IP policy, then resume the blocked workflow safely and audibly.

Primary outcomes:

detect and classify block behavior,
switch to a valid tunnel path with explicit user consent,
verify public IP, region, and DNS safety posture,
re-run blocked task with bounded retries,
return an auditable connection report.

This is an orchestration skill. It does not guarantee legal access to restricted services.

### Required Installed Skills

Core diagnostics/orchestration:

shell-scripting (inspected latest: 1.0.0)
curl-http (inspected latest: 1.0.0)

Tunnel path options (at least one):

provider CLI path (NordVPN / Mullvad / ExpressVPN) via shell orchestration
wireguard (inspected latest: 1.0.0)
tailscale (inspected latest: 1.0.0)

Safety and verification extensions:

dns (inspected latest: 1.0.0)
ipinfo (inspected latest: 1.0.0)
moltguard (inspected latest: 6.0.2, optional but recommended)

Install/update:

npx -y clawhub@latest install shell-scripting
npx -y clawhub@latest install curl-http
npx -y clawhub@latest install wireguard
npx -y clawhub@latest install tailscale
npx -y clawhub@latest install dns
npx -y clawhub@latest install ipinfo
npx -y clawhub@latest install moltguard
npx -y clawhub@latest update --all

Verify:

npx -y clawhub@latest list

### Required Credentials and Access

Required access:

valid account/session for selected tunnel path
local executable for selected path (nordvpn/mullvad/expressvpn or wg or tailscale)

Optional keys:

MOLTGUARD_API_KEY (if MoltGuard remote detection mode is enabled)
IPINFO_TOKEN (optional, higher quota geolocation verification)

Preflight:

command -v nordvpn || command -v mullvad || command -v expressvpn || command -v wg || command -v tailscale
echo "$MOLTGUARD_API_KEY" | wc -c
echo "$IPINFO_TOKEN" | wc -c

Mandatory behavior:

Never fail silently on missing keys/auth.
Always return MissingAPIKeys and/or MissingCredentials with blocked stages.
Continue with non-blocked diagnostics and mark output as Partial when needed.

### Compliance Gate (Mandatory)

Before any tunnel switch, confirm and record:

user authorization to modify network routing,
acknowledgment of legal/terms responsibility,
stated purpose for geo-switch (testing, parity checks, privacy hardening).

If acknowledgment is missing:

do not execute switching commands,
return diagnostics-only output.

### Inputs the LM Must Collect First

blocked_url or blocked_endpoint
blocked_task_name (example: prediction-market-arbitrage)
target_region
tunnel_path (provider-cli, wireguard, tailscale-exit-node)
provider_or_profile (provider name, WG profile, or exit-node name)
risk_mode (diagnose-only, switch-and-verify, switch-and-resume)
kill_switch_required (yes/no)
max_retries (default: 2)

Do not execute switching before tunnel path and target region are explicit.

### shell-scripting

Use as control plane:

executable detection,
connect/disconnect wrappers,
retry and cleanup logic,
deterministic logging.

### curl-http

Use for protocol-level evidence:

baseline and post-switch HTTP checks,
403/geo-block signature capture,
header and status comparisons.

### wireguard

Use when deterministic profile-based tunnels are required:

controlled profile activation,
route and AllowedIPs sanity expectations,
DNS handling awareness in tunnel config.

### tailscale

Use for tailnet and exit-node path:

tailscale up --exit-node=<node>,
connectivity validation via tailscale ping/status,
fast fallback among available exit nodes.

### dns

Use for DNS leak and propagation sanity guidance:

resolver checks,
authoritative vs cached record reasoning,
explicit leak-risk interpretation when DNS path remains local.

### ipinfo

Use for geo-attestation:

validate post-switch country/region/ASN,
compare with baseline,
provide confidence level for geo-alignment.

### moltguard

Use as prompt/tool security guardrail:

sanitize sensitive prompt/tool content,
detect prompt-injection patterns in fetched content,
reduce accidental secret leakage in workflow logs.

Important limitation:

MoltGuard is not a VPN manager and not a full network leak detector.

### Canonical Causal Signal Chain

Block Detection

baseline request to blocked endpoint,
classify as geo_block, ip_block, auth_block, or other_http_error.

Baseline Snapshot

capture pre-switch public IP, country, and resolver context.

Tunnel Path Selection

choose one path:

provider CLI,
WireGuard profile,
Tailscale exit node.


verify binary/auth/profile availability before connect.

Tunnel Activation

connect selected path,
confirm session state from tool output,
enforce kill-switch preference if available.

Geo and IP Verification

compare pre/post public IP,
verify target country best-effort (ipinfo.io + optional token),
record confidence if country mismatches.

DNS Safety Check

check resolver behavior and detect obvious DNS bypass patterns,
flag risk if DNS appears untunneled in full-tunnel expectation.

Access Retest

retry blocked endpoint,
compare HTTP status/content signatures against baseline.

Task Resumption

if retest passes, resume blocked workflow automatically (switch-and-resume mode),
otherwise rotate endpoint/profile once within retry budget and stop with evidence.

Suggested verification commands:

curl -s ifconfig.me
curl -s https://ipinfo.io/json
curl -I "${BLOCKED_URL}"

### Leak and Safety Checks

Minimum checks before success:

public IP changed,
target country aligned (or deviation explicitly explained),
endpoint moved from blocked to reachable/expected-auth state,
DNS path does not contradict tunnel expectations,
no unresolved high-risk MoltGuard warning (if enabled).

If kill-switch is required but not supported/verified:

return Needs Review and avoid high-risk task resumption.

### Output Contract

Always return:

BlockDiagnosis

block type
baseline HTTP evidence



TunnelPath

selected path and rationale
provider/profile/exit node



TunnelStatus

connect state
pre/post IP
target region match



DNSSafety

resolver observation
leak risk assessment (low|medium|high)



SecurityStatus

MoltGuard mode (enabled, gateway-only, disabled)
unresolved warnings



AccessRetest

post-switch result
improvement vs baseline



TaskResumption

resumed or blocked
reason



NextActions

exact commands or account steps for unresolved blockers

### Quality Gates

Before final output, verify:

diagnosis is evidence-based,
pre/post network evidence is present,
retry count respected,
missing credentials/keys clearly disclosed,
provider/path limitations explicitly stated.

If any gate fails, return Needs Revision with concrete missing checks.

### Failure Handling

Missing tunnel binary/profile: return MissingCredentials with concrete install/profile steps.
Missing VPN account/auth session: return MissingCredentials, skip switching stage.
Missing MOLTGUARD_API_KEY in detection mode: return MissingAPIKeys, continue with gateway-only or disabled mode.
Tunnel connected but geo mismatch persists: one bounded retry with different endpoint/profile, then stop.
Endpoint still blocked after retry: return full evidence bundle and manual-decision path.

### Guardrails

Never claim legal or terms compliance on behalf of user.
Never claim secure state without pre/post verification.
Never unbounded-loop region hopping.
Never hide ambiguous or failed access states.
## Trust
- Source: tencent
- Verification: Indexed source record
- Publisher: h4gen
- Version: 1.0.0
## Source health
- Status: healthy
- Item download looks usable.
- Yavira can redirect you to the upstream package for this item.
- Health scope: item
- Reason: direct_download_ok
- Checked at: 2026-04-29T17:09:47.038Z
- Expires at: 2026-05-06T17:09:47.038Z
- Recommended action: Download for OpenClaw
## Links
- [Detail page](https://openagent3.xyz/skills/stealth-proxy)
- [Send to Agent page](https://openagent3.xyz/skills/stealth-proxy/agent)
- [JSON manifest](https://openagent3.xyz/skills/stealth-proxy/agent.json)
- [Markdown brief](https://openagent3.xyz/skills/stealth-proxy/agent.md)
- [Download page](https://openagent3.xyz/downloads/stealth-proxy)