Stealth
MaliciousAudited by ClawScan on May 10, 2026.
Overview
This skill is designed to make an AI agent bypass website anti-bot, CAPTCHA, Cloudflare, and IP-blocking defenses.
Avoid installing this skill for general use. It is built to help agents evade website defenses and may violate site rules or laws. Only consider it in an explicitly authorized testing environment, and be aware that it stores proxy/solver credentials and sends target-page data to third-party services.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this skill could automate access to websites in ways that evade their security and abuse-prevention systems, enabling unauthorized scraping, account abuse, or terms-of-service violations.
The core workflow is to bypass anti-bot, CAPTCHA, Cloudflare, and IP-blocking controls rather than to use a scoped, authorized integration.
Set up residential proxies, solve CAPTCHAs, and configure stealth browsers to avoid bot detection... encounters Cloudflare challenges, needs to bypass IP blocks
Do not install or use this skill for third-party websites unless you have explicit authorization for security testing; prefer official APIs and remove bypass-oriented workflows.
Websites may be misled into treating automated traffic as legitimate human traffic, undermining their trust and anti-abuse controls.
The browser configuration intentionally falsifies automation and fingerprinting signals so the agent appears more like a real human browser.
Object.defineProperty(navigator, 'webdriver', {get: () => undefined}); ... Object.defineProperty(navigator, 'plugins'...); window.chrome = { runtime: {} };Avoid using browser spoofing or human-behavior simulation except in clearly authorized test environments; disclose automation and honor site access policies.
The CAPTCHA provider can learn which pages the agent is trying to access and receives the user's solver account credential.
CAPTCHA-solving examples send the target page URL, site key, and solver API key to external provider APIs.
requests.post("https://api.capsolver.com/createTask", json={ "clientKey": API_KEY, "task": { ... "websiteURL": PAGE_URL, "websiteKey": SITEKEY } })Treat this as third-party data sharing; do not use it on sensitive or private pages, and review the provider's policies before use.
Anyone or any process that can read the config file may be able to use the proxy account, potentially incurring cost or linking traffic to the user.
The skill documents storing reusable proxy credentials in a local configuration file.
"username": "USER", "password": "PASS" ... chmod 600 ~/.config/stealth/proxy.json
Use dedicated limited-scope credentials, keep file permissions restrictive, rotate secrets, and avoid reusing these credentials elsewhere.
Installing an unpinned external package may introduce unreviewed code or dependency changes into the user's environment.
The documentation recommends an unpinned third-party package with native-level anti-detection claims.
npm install @askjo/camoufox-browser ... C++ level anti-detection
Do not install the package unless you have reviewed and pinned the dependency source and version in an isolated environment.