ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Proxy4agent

v1.6.3

Residential proxy for AI agents — fetch any URL through 2M+ real IPs, bypass anti-bot, geo-target, sticky sessions.

0· 67·0 current·0 all-time
byMemijashi@goldentrii
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description align with the runtime instructions (installing an npm proxy client and providing proxy credentials). However there are small mismatches: registry metadata shows version 1.6.3 while SKILL.md references 1.6.2, and primaryEnv lists only NOVADA_PROXY_USER yet the example requires NOVADA_PROXY_PASS as well. These inconsistencies are unexplained but could be benign (out-of-date docs).
!
Instruction Scope
SKILL.md instructs the agent to install and run an npm package (bestproxy4agents) and then fetch arbitrary URLs through a third-party residential network. That is within the claimed proxy purpose, but it also means any URL (including internal or sensitive endpoints if mistakenly used) and request/response content will transit a provider you do not control — a high-risk data-exposure capability. The doc warns about this, but the agent will have the technical ability to route any data through the provider.
Install Mechanism
Installation uses npx to pull an npm package (bestproxy4agents). Pulling code from the public npm registry is common for this functionality but is a moderate risk because arbitrary remote code will be fetched and executed at install/runtime. The registry's declared install (node formula bestproxy4agents@1.6.2) and the SKILL.md npx usage are consistent with an npm-based install, but the version mismatch noted above should be clarified.
!
Credentials
The skill declares a primary credential NOVADA_PROXY_USER but the examples and optional features reference additional environment variables (NOVADA_PROXY_PASS, NOVADA_API_KEY, NOVADA_BROWSER_WS, PROXY_URL). The SKILL.md expects a password or proxy URL in practice; the registry metadata does not list these as required. Requesting provider credentials is expected for a proxy skill, but the metadata/instructions are inconsistent about which variables are required and which are optional.
Persistence & Privilege
always:false and no required config paths are declared. The skill does not request elevated platform privileges or permanent forced inclusion. Autonomous invocation is allowed (the platform default), which increases the blast radius if the skill is misused, but this alone is not an incoherence.
What to consider before installing
This skill appears to be a normal residential-proxy integration, but exercise caution before installing. Verify the npm package source (bestproxy4agents) and the GitHub repo/release tarball to ensure you trust the publisher. Clarify the credential requirements (NOVADA_PROXY_USER vs NOVADA_PROXY_PASS and optional keys) and the exact package version (1.6.2 vs 1.6.3). Remember that the proxy provider can see full request/response data — do not send internal URLs, API keys, or PII through it. If you must use it for automation, restrict the agent's ability to send sensitive data, and prefer a provider you control or have audited. If you need help, ask the publisher for a signed release URL, package provenance, and a clear env-var list before proceeding.

Like a lobster shell, security has layers — review code before you run it.

latestvk9734b51r98ztb5ac5hgywdfd184kgf4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

OSmacOS · Linux · Windows
Any binnode, npx
Primary envNOVADA_PROXY_USER

Install

Node
Bins: bestproxy4agents

Comments