testing-nodes
Runs IP reputation checks (risk scores, streaming unlock, blacklists via 9 providers) and network performance tests (BGP, latency, speed, routing to 31 Chinese provinces) on proxy nodes via SSH. Generates structured health reports with actionable recommendations. Use when testing proxy node quality, checking IP risk scores, verifying streaming unlock status, running speed tests, diagnosing latency, or comparing multiple nodes side-by-side.
Best use case
testing-nodes is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Runs IP reputation checks (risk scores, streaming unlock, blacklists via 9 providers) and network performance tests (BGP, latency, speed, routing to 31 Chinese provinces) on proxy nodes via SSH. Generates structured health reports with actionable recommendations. Use when testing proxy node quality, checking IP risk scores, verifying streaming unlock status, running speed tests, diagnosing latency, or comparing multiple nodes side-by-side.
Teams using testing-nodes should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/testing-nodes/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How testing-nodes Compares
| Feature / Agent | testing-nodes | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Runs IP reputation checks (risk scores, streaming unlock, blacklists via 9 providers) and network performance tests (BGP, latency, speed, routing to 31 Chinese provinces) on proxy nodes via SSH. Generates structured health reports with actionable recommendations. Use when testing proxy node quality, checking IP risk scores, verifying streaming unlock status, running speed tests, diagnosing latency, or comparing multiple nodes side-by-side.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# TunPilot Node Diagnostics
Dual-dimension diagnostics via direct SSH: [IPQuality](https://github.com/xykt/IPQuality) for IP reputation (risk scores, streaming unlock, blacklists) and [NetQuality](https://github.com/xykt/NetQuality) for network performance (BGP, latency, speed, routing). Zero API keys required.
**Prerequisites:**
- Node has `ssh_user` or `ssh_alias` configured and SSH key access from the local machine.
- `tunpilot-diag` wrapper installed on the node (auto-installed in Phase 2.0 if missing).
**Auxiliary files (read when referenced below):**
- [REPORT_TEMPLATE.md](REPORT_TEMPLATE.md) — table templates for rendering results (Phase 3)
- [REFERENCE.md](REFERENCE.md) — score/classification interpretation + recommendation patterns (Phase 3/4)
- [../_shared/DIAG_SETUP.md](../_shared/DIAG_SETUP.md) — install tooling if Phase 2.0 detects it missing
- [../_shared/SSH_TROUBLESHOOTING.md](../_shared/SSH_TROUBLESHOOTING.md) — generic SSH/systemd issues
---
## Phase 1: Identify Target
Ask the user which node(s) to test. Use `list_nodes` to show available nodes if needed.
Accept:
- A single node name or ID
- `all` → all enabled nodes that have `ssh_user` or `ssh_alias`
---
## Phase 2: Run Diagnostics
For each target node, fetch `ssh_alias`, `ssh_user`, `host`, `ssh_port` via `list_nodes`.
**Resolve SSH target** (used as `<ssh_target>` below):
- If `ssh_alias` set → `ssh <ssh_alias>`
- Otherwise → `ssh -p <ssh_port> <ssh_user>@<host>`
### 2.0 Pre-flight Check
```bash
ssh <ssh_target> "tunpilot-diag --version"
```
If missing, read [../_shared/DIAG_SETUP.md](../_shared/DIAG_SETUP.md) and run both steps on this node.
### 2.1 Execute Diagnostics
`tunpilot-diag` subcommands:
- `tunpilot-diag` / `tunpilot-diag all` — IPQuality + NetQuality (~5-7 min)
- `tunpilot-diag ip` — IP reputation only (~2-3 min)
- `tunpilot-diag net` — network performance only (~3-5 min)
Full suite:
```bash
ssh <ssh_target> "tunpilot-diag"
```
Output is two JSON lines on stdout:
- Line 1: `{"type":"ipquality","data":{...}}`
- Line 2: `{"type":"netquality","data":{...}}`
If a check fails the line contains `"error"` instead of `"data"`.
### Execution Strategy
- **Single node** — Use `run_in_background`; tell the user it runs ~5-7 min. The runtime notifies on completion.
- **Multiple nodes** — Launch each node in parallel via separate `run_in_background` Bash calls (independent SSH sessions).
### Fallback (if `tunpilot-diag` cannot be installed)
Run the raw scripts with ANSI filtering and extract JSON:
```bash
ssh <ssh_target> "export TERM=dumb; bash <(curl -sL IP.Check.Place) -j -4" 2>&1 \
| sed 's/\x1b\[[0-9;]*m//g' > /tmp/ipquality-<node>.txt
```
```python
python3 -c "
import json, sys
content = open('/tmp/ipquality-<node>.txt').read()
depth, start = 0, -1
for i, c in enumerate(content):
if c == '{' and start == -1: start, depth = i, 1
elif start >= 0:
depth += (c == '{') - (c == '}')
if depth == 0:
data = json.loads(content[start:i+1])
if 'Head' in data or 'Info' in data:
print(json.dumps(data)); break
start = -1
"
```
Repeat for NetQuality with `Net.Check.Place` and `-j -4 -y` flags.
---
## Phase 3: Present Report
Read [REPORT_TEMPLATE.md](REPORT_TEMPLATE.md) for the full table layout. Use [REFERENCE.md](REFERENCE.md) for score ratings, classification consensus analysis, and pattern matching.
- **Single node** — render all sections from the template in order (IP Quality → Network Quality).
- **Multi-node (2+)** — render the Multi-Node Comparison table from the template.
---
## Phase 4: Analysis & Recommendations
Analyse each node using the IP Quality Patterns and Network Quality Patterns in [REFERENCE.md](REFERENCE.md). Provide specific, actionable recommendations referencing actual data from the report — avoid generic advice.
For multi-node comparisons, follow the Multi-Node Recommendation guidelines in REFERENCE.md.
---
## Troubleshooting
| Symptom | Cause | Fix |
|---------|-------|-----|
| "Invalid input, script exited" | IPQuality dependencies missing | `apt-get install -y -qq jq curl bc netcat-openbsd dnsutils iproute2` |
| "No JSON found in output" | Script produced no JSON (captive portal, ANSI leak, etc.) | Run raw: `ssh <ssh_target> "bash <(curl -sL IP.Check.Place) -j -4"` |
| `IPQS: null` in scores | IPQS API unreachable | Not a problem — other 5 providers still give useful data |
| NetQuality timeout (>10 min) | Full mode too slow for this server | `tunpilot-diag ip` for quick IP-only check, or `tunpilot-diag net` without speedtest |
| iperf3 not installed | Missing dependency | `apt-get install -y -qq iperf3 mtr` |
| "speedtest not found" persists | `-y` auto-install failed | `curl -s https://packagecloud.io/install/repositories/ookla/speedtest-cli/script.deb.sh \| bash && apt-get install -y speedtest` |
For generic SSH / systemd failures, see [../_shared/SSH_TROUBLESHOOTING.md](../_shared/SSH_TROUBLESHOOTING.md).
---
## CLI Reference
| Command | Use When |
|---------|----------|
| `tunpilot node list` | See registered nodes with ssh_alias/ssh_user config |
| `tunpilot health [<id>]` | Quick health check before running diagnostics |Related Skills
deploying-xray-nodes
Deploys TCP Trojan proxy nodes on Xray-core with certbot Let's Encrypt or self-signed EC P-256 + SHA-256 certificate fingerprint pinning, TCP Fast Open kernel tuning with BBR, nginx-compatible fallback site, gRPC user sync (not HTTP auth callback), and systemd hardening with strict filesystem isolation. Use when deploying a Trojan node on Xray, pinning a self-signed cert fingerprint, configuring TCP Fast Open, or setting up the Xray gRPC stats API. Not for Hysteria2 — see deploying-hy2-nodes.
deploying-hy2-nodes
Deploys UDP/QUIC Hysteria2 proxy nodes with Brutal or BBR congestion control, inline ACME (or self-signed EC P-256), HTTP masquerade, QUIC receive/send window tuning based on server memory, systemd hardening with CAP_NET_ADMIN, and HTTP auth callback registration in TunPilot. Use when deploying a new Hysteria2 node, choosing Brutal vs BBR, tuning QUIC windows, setting up masquerade, or switching between ACME and self-signed TLS. Not for Xray/Trojan — see deploying-xray-nodes.
getting-started
Deploys TunPilot server via SSH, wires up the local `tunpilot` CLI or web admin, and verifies end-to-end connectivity. Use when installing TunPilot, deploying the server, configuring remote access, updating an existing installation, or setting up TunPilot for the first time.
jepsen-testing
Jepsen-style correctness testing for distributed systems under faults (partitions, crashes, clock skew) using concurrent operation histories and formal checkers (linearizability/serializability and Elle-style anomalies). Use when designing, implementing, or running Jepsen tests, or interpreting histories/violations.
webapp-testing
Toolkit for interacting with and testing local web applications using
testing-websocket-api-security
Tests WebSocket API implementations for security vulnerabilities including missing authentication on WebSocket upgrade, Cross-Site WebSocket Hijacking (CSWSH), injection attacks through WebSocket messages, insufficient input validation, denial-of-service via message flooding, and information leakage through WebSocket frames. The tester intercepts WebSocket handshakes and messages using Burp Suite, crafts malicious payloads, and tests for authorization bypass on WebSocket channels. Activates for requests involving WebSocket security testing, WS penetration testing, CSWSH attack, or real-time API security assessment.
testing-ransomware-recovery-procedures
Test and validate ransomware recovery procedures including backup restore operations, RTO/RPO target verification, recovery sequencing, and clean restore validation to ensure organizational resilience against destructive ransomware attacks.
testing-oauth2-implementation-flaws
Tests OAuth 2.0 and OpenID Connect implementations for security flaws including authorization code interception, redirect URI manipulation, CSRF in OAuth flows, token leakage, scope escalation, and PKCE bypass. The tester evaluates the authorization server, client application, and token handling for common misconfigurations that enable account takeover or unauthorized access. Activates for requests involving OAuth security testing, OIDC vulnerability assessment, OAuth2 redirect bypass, or authorization code flow testing.
testing-mobile-api-authentication
Tests authentication and authorization mechanisms in mobile application APIs to identify broken authentication, insecure token management, session fixation, privilege escalation, and IDOR vulnerabilities. Use when performing API security assessments against mobile app backends, testing JWT implementations, evaluating OAuth flows, or assessing session management. Activates for requests involving mobile API auth testing, token security assessment, OAuth mobile flow testing, or API authorization bypass.
testing-jwt-token-security
Assessing JSON Web Token implementations for cryptographic weaknesses, algorithm confusion attacks, and authorization bypass vulnerabilities during security engagements.
testing-handbook-generator
Generates comprehensive testing handbooks and guides for security testing strategies.
testing-for-xxe-injection-vulnerabilities
Discovering and exploiting XML External Entity injection vulnerabilities to read server files, perform SSRF, and exfiltrate data during authorized penetration tests.