Vpn Rotate Skill
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This skill openly rotates VPNs to evade rate limits and makes persistent passwordless sudo changes, so it requires careful review before use.
Install only if you intentionally want a system-level VPN automation tool and have permission to use it with the target services. Review the shell script first, understand that it creates passwordless sudo privileges, and prefer running it in an isolated VM or container rather than on your main machine.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this skill could make high-volume requests while evading blocks, potentially violating service terms, triggering account bans, or creating legal/compliance issues.
The skill's primary advertised function is to evade API rate limits and blocking by rotating VPN exit IPs, which can enable unauthorized scraping or misuse of third-party services.
Bypass API rate limits by rotating VPN servers... Automatically rotates to new server every N requests for fresh IPs. Use for high-volume scraping
Use only for services where you have explicit permission and where VPN rotation does not violate rules. Require clear user approval before using it against any third-party service.
After setup, agent-run code under the user account can start privileged VPN processes and kill processes without another password prompt, which broadens the agent's effective system authority.
The setup script creates a persistent sudoers rule allowing passwordless root execution of OpenVPN and process-kill commands.
echo "$USER ALL=(ALL) NOPASSWD: /usr/sbin/openvpn, /usr/bin/killall, /bin/kill" | sudo tee "$SUDOERS_FILE"
Avoid installing the passwordless sudo rule unless absolutely necessary. Prefer a tightly scoped wrapper, require manual confirmation for privileged commands, and remove `/etc/sudoers.d/vpn-rotate` when finished.
Using or rotating this VPN can disrupt unrelated VPN sessions, expose traffic that was expected to stay tunneled, or interrupt other applications relying on OpenVPN.
Disconnect and rotation fall back to killing all OpenVPN processes on the host, not only the process started by this skill.
self._run(["sudo", "-n", "killall", "openvpn"])
Run it only in an isolated environment such as a container or VM, and change the implementation to track and terminate only its own OpenVPN process.
Running setup changes system packages and requires trusting the script with sudo-level actions.
The user-directed setup script performs privileged package installation. This is expected for an OpenVPN controller, but it is a significant local system change.
sudo apt update && sudo apt install -y openvpn
Inspect the script before running it, install OpenVPN through your normal system administration process if possible, and do not run setup from an untrusted directory.
The VPN can continue changing the machine's network path after the immediate agent action unless it is explicitly disconnected.
OpenVPN is intentionally launched as a background daemon and remains active until disconnected.
"--daemon", "--writepid", str(PID_FILE), "--log", str(LOG_FILE)
Verify the VPN is disconnected after use, monitor `/tmp/vpn-rotate.pid`, and avoid leaving the persistent sudo rule installed for routine agent tasks.