功能描述

Route AI agent traffic through a residential IP using Tailscale exit nodes — no custom code, no proxies, just WireGuard.

使用说明 (SKILL.md)

claw-relay

Name: Claw Relay
Author: nicholaslocascio

You are helping a human set up claw-relay — a method for routing AI agent traffic through a residential IP address using Tailscale exit nodes. No custom relay, no daemon, no proxy software. Just Tailscale.

Architecture

There are two nodes connected by a Tailscale tunnel:

┌──────────────────────┐          ┌──────────────────────┐
│   CLOUD NODE         │          │   RESIDENTIAL NODE   │
│   (datacenter IP)    │          │   (home IP)          │
│                      │          │                      │
│   AI Agent           │          │   Tailscale          │
│     ↓                │          │   (exit node)        │
│   Tailscale ─────────┼── WG ───▶│     ↓                │
│   (use exit node)    │          │   Internet           │
│                      │          │   (exits from home)  │
└──────────────────────┘          └──────────────────────┘

Cloud node: A VPS running the AI agent. Tailscale routes its traffic through the exit node.
Residential node: The human's laptop running Tailscale as an exit node. Traffic exits from this IP.
Tailscale connects the two over an encrypted WireGuard tunnel. No custom code needed.

Which node are you setting up?

Ask the human which side they need to configure. They may need to do both, but walk through one at a time.

Residential Node Setup (human's laptop — do this first)

The human's laptop becomes a Tailscale exit node, allowing the VPS to route traffic through it.

Prerequisites

A Tailscale account (free at https://tailscale.com)

1. Install Tailscale

macOS:

brew install tailscale

Linux:

curl -fsSL https://tailscale.com/install.sh | sh

2. Enable as exit node

sudo tailscale up --advertise-exit-node

3. Approve the exit node

Go to the Tailscale admin console at https://login.tailscale.com/admin/machines — find the laptop and approve it as an exit node by clicking the three-dot menu → "Edit route settings" → enable "Use as exit node".

Alternatively, if you have --accept-routes on your policy, this happens automatically.

Test

tailscale status

The laptop should show as an exit node in the tailnet.

Cloud Node Setup (VPS)

This is the server running your AI agent. It joins the same tailnet and routes all traffic through the residential exit node.

Prerequisites

A VPS or cloud server (any provider — DigitalOcean, Hetzner, AWS, etc.)
The residential node must already be set up as an exit node

1. Install Tailscale

curl -fsSL https://tailscale.com/install.sh | sh

2. Join the tailnet and set exit node

Find the residential node's Tailscale hostname or IP:

tailscale status

Then set it as the exit node:

sudo tailscale up --exit-node=\x3Claptop-hostname-or-ip>

Replace \x3Claptop-hostname-or-ip> with the Tailscale IP (e.g., 100.64.x.x) or hostname of the laptop.

3. Verify

curl https://httpbin.org/ip

The response should show the residential IP (the laptop's public IP), not the VPS IP.

Agent Configuration

Once the exit node is set, all traffic from the VPS routes through the laptop automatically. No proxy configuration needed in your agent code — it's transparent at the network level.

Your agent code doesn't change at all:

import requests

r = requests.get("https://httpbin.org/ip")
print(r.json())  # Shows the residential IP

const res = await fetch("https://httpbin.org/ip");
console.log(await res.json()); // Shows the residential IP

curl https://httpbin.org/ip  # Shows the residential IP

Per-process control (optional)

If you want only specific processes to use the exit node instead of all VPS traffic, you can use Tailscale's --exit-node with app-specific routing or configure HTTPS_PROXY with a local proxy that routes through Tailscale.

Advanced: Isolation with Tailscale ACLs

For production setups, use Tailscale ACLs to control which machines can use which exit nodes:

{
  "tagOwners": {
    "tag:agent": ["autogroup:admin"],
    "tag:exitnode": ["autogroup:admin"]
  },
  "acls": [
    {
      "action": "accept",
      "src": ["tag:agent"],
      "dst": ["tag:exitnode:*"]
    }
  ]
}

Tag your VPS as tag:agent and your laptop as tag:exitnode to restrict access.

Advanced: Headscale (fully self-hosted)

If you want zero dependency on Tailscale's coordination server, use Headscale — an open-source, self-hosted implementation of the Tailscale control server.

Deploy Headscale on a server you control
Point both nodes to your Headscale instance instead of Tailscale's servers
Everything else works the same — WireGuard tunnels, exit nodes, ACLs

This gives you a fully self-hosted solution with no third-party dependencies.

Troubleshooting

Exit node not showing: Make sure you approved it in the admin console
VPS still shows datacenter IP: Run tailscale status to verify the exit node is connected, then sudo tailscale up --exit-node=\x3Claptop> again
Connection drops: Check that the laptop has internet access and Tailscale is running
Laptop went to sleep: Tailscale reconnects automatically when the laptop wakes up, but the VPS will lose internet access while the laptop is offline

安全使用建议

This skill is coherent and documents a standard way to route a VPS's traffic through a home IP using Tailscale exit nodes. Before using it, consider: (1) Security/privacy: traffic from your VPS will egress your home network — any malicious or misconfigured agent on the VPS could reach services on your LAN or consume your bandwidth. Only enable an exit node on machines you trust and monitor. (2) Availability: your laptop must stay online; if it sleeps or disconnects the VPS loses internet egress. (3) Provider/ToS: routing traffic this way may violate your cloud provider or ISP terms — check policies. (4) Installation safety: the install step uses a remote install script (official tailscale.com URL); if you prefer, review the script before running it or use platform package managers. (5) If you want to avoid using Tailscale's control plane, consider the documented Headscale option. Also note a minor metadata inconsistency: the registry metadata listed no homepage, but the SKILL.md includes a homepage URL (clawrelay.ai); this is not a functionality problem but worth verifying the skill's source before proceeding.

功能分析

Type: OpenClaw Skill Name: claw-relay Version: 1.0.0 The skill provides instructions for configuring Tailscale to route AI agent traffic through a residential IP. All commands, including `curl -fsSL https://tailscale.com/install.sh | sh` and `sudo tailscale up`, are standard procedures for installing and configuring the legitimate Tailscale VPN service. There is no evidence of malicious intent, data exfiltration, unauthorized access, or prompt injection attempts against the AI agent. The instructions are transparent and directly align with the stated purpose of setting up a network relay.

能力评估

✓ Purpose & Capability

Name/description match the instructions: the SKILL.md explains how to advertise and use a Tailscale exit node from a residential machine and how to configure the VPS to use it. Required binary (tailscale) is appropriate and proportional.

ℹ Instruction Scope

Instructions remain within the stated purpose (install Tailscale, advertise/accept exit node, set --exit-node). They instruct the user to run system installer commands and use the Tailscale admin console, which is expected. Minor note: the doc suggests both 'transparent network routing' and an optional per-process proxy approach; that's not harmful but slightly contradictory in phrasing.

ℹ Install Mechanism

The instructions recommend running the official Tailscale install script (curl -fsSL https://tailscale.com/install.sh | sh). This is a common, documented installation method for Tailscale; it is a remote install-and-execute pattern (higher-risk in general) but uses the vendor's canonical URL.

✓ Credentials

The skill requests no environment variables, no credentials, and no config paths. That is proportional for a networking/instructions-only skill.

✓ Persistence & Privilege

Skill is instruction-only, has no install-time artifacts, and does not request 'always: true' or system-wide persistent privileges. It does not request to modify other skills or system-wide agent settings.

版本历史

v1.0.0

claw-relay 1.0.0 - Initial release of claw-relay. - Enables routing AI agent traffic through a residential IP using Tailscale exit nodes (WireGuard tunnel) — no custom relay or proxy required. - Provides setup instructions for both Residential Node (exit node) and Cloud Node (VPS). - Includes troubleshooting steps, architecture overview, and advanced options for ACLs and self-hosting with Headscale. - No changes to agent code required; network routing is fully transparent.

元数据

Slug claw-relay

版本 1.0.0

许可证 —

累计安装 0

当前安装数 0

历史版本数 1

常见问题

Claw Relay 是什么？

Route AI agent traffic through a residential IP using Tailscale exit nodes — no custom code, no proxies, just WireGuard. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 347 次。

如何安装 Claw Relay？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install claw-relay」即可一键安装，无需额外配置。

Claw Relay 是免费的吗？

是的，Claw Relay 完全免费（开源免费），可自由下载、安装和使用。

Claw Relay 支持哪些平台？

Claw Relay 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 Claw Relay？

由 Nick Locascio（@nicholaslocascio）开发并维护，当前版本 v1.0.0。

Claw Relay

claw-relay

Architecture

Which node are you setting up?

Residential Node Setup (human's laptop — do this first)

Prerequisites

1. Install Tailscale

2. Enable as exit node

3. Approve the exit node

Test

Cloud Node Setup (VPS)

Prerequisites

1. Install Tailscale

2. Join the tailnet and set exit node

3. Verify

Agent Configuration

Per-process control (optional)

Advanced: Isolation with Tailscale ACLs

Advanced: Headscale (fully self-hosted)

Troubleshooting

Claw Relay 是什么？

如何安装 Claw Relay？

Claw Relay 是免费的吗？

Claw Relay 支持哪些平台？

谁开发了 Claw Relay？

💬 留言讨论