Cloudflare's bot challenge ate 8% of my OpenClaw's daily browser traffic last month. The default browser tool worked fine for Gmail and dashboards. It fell over the moment it hit anti-bot gates. So I added a stealth browser as a sidecar MCP — separate process, disabled by default, 97 tools when probed — and wired it in as a complement, not a replacement. Here is the architecture, the test results, and the part I almost got wrong.
The honest setup: why a sidecar, not a fork
The temptation was to fork the OpenClaw browser tool, swap in nodriver (the undetected-Chrome fork), and ship it as the new default. I almost did. Then I cold-timed it: the stealth browser takes about 6-7 seconds to boot Chrome with all the anti-fingerprint flags. The default browser tool starts in under a second because it uses an existing browser daemon.
For 95% of what my agent does — checking email, scraping dashboards, posting to DEV.to — the default browser is faster and good enough. The 5% that hits Cloudflare, DataDome, or other anti-bot middlewares needs the heavy weapon. So: sidecar.
# scripts/stealth-mcp-entry.sh — boots Xvfb then execs the MCP server







