Is biguntroll/tesla-tessie safe?

https://github.com/openclaw/skills/tree/main/skills/biguntroll/tesla-tessie

88
SAFE

The biguntroll/tesla-tessie skill is a functionally legitimate Tesla vehicle control wrapper for the Tessie API. The Python scripts are clean, readable, and communicate exclusively with api.tessie.com — no malicious code, exfiltration endpoints, obfuscation, or prompt injection was found in the skill itself. The primary risks are inherent to the skill's purpose: granting an AI agent real-world physical vehicle control (unlock, trunk, location, sentry, valet mode) means any prompt injection vulnerability from other agent inputs becomes a physical safety threat, and a SKILL.md-suggested cron job creates persistent autonomous scheduling without per-session consent.

Category Scores

Prompt Injection 88/100 · 30%
Data Exfiltration 82/100 · 25%
Code Execution 93/100 · 20%
Clone Behavior 93/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 62/100 · 5%

Findings (8)

MEDIUM High-consequence physical vehicle control -20

The skill provides commands to unlock doors, open the frunk/trunk, disable sentry mode, and enable valet mode. If an agent using this skill is manipulated via prompt injection from any other input source (email body, webpage content, calendar event, document), an attacker can trigger physical access to the user's vehicle without direct user approval.

MEDIUM Cron job persistence instruction in SKILL.md -8

SKILL.md includes a ready-to-use cron add snippet that instructs the agent to register a recurring scheduled task executing every 6 hours. This creates persistent autonomous agent behavior that outlives any single session and was not explicitly requested by the user at install time.

MEDIUM Real-time vehicle location surfaced through agent -10

The location command returns current GPS coordinates, heading, and speed. An agent with this skill active could be instructed by injected content to silently retrieve and relay vehicle location to an attacker-controlled channel via another co-active skill (e.g., email or HTTP skill).

LOW API response content processed by agent without sanitization -4

tessie.py and check-updates.py print raw JSON API responses to stdout, which the agent ingests and interprets. Tessie vehicle metadata fields (e.g., display_name, software_update.version) could theoretically be crafted by a compromised Tessie account or MITM to contain prompt injection payloads targeting the agent.

LOW TESSIE_API_KEY exposed with full vehicle control scope -8

The API key grants access to all Tessie-supported vehicle operations (locks, climate, charging, location, firmware updates). The key is present in the agent's environment and transmitted in Authorization headers on every API call. If the agent's context or logs are accessible to other parties, the key is at risk.

LOW Firmware update scheduling via agent -8

The schedule_update command (with value=0 for immediate) allows the agent to trigger an immediate vehicle firmware update. Firmware updates require the vehicle to reboot its systems and may temporarily disable certain vehicle functions. Triggering this unexpectedly could surprise or strand a user.

INFO VIN enumeration on account -2

The vehicles command returns all VINs associated with the Tessie account. VINs can be used to look up vehicle registration, ownership history, and other records. This is expected functionality but is worth noting as sensitive data returned to the agent context.

INFO Canary file accesses attributed to audit framework 0

Filesystem monitoring detected accesses to .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCP credentials at 08:05:06 (before skill install) and 08:05:23 (post-install canary check). Process audit confirms these are the oathe audit sudo/PAM processes, not skill code. Canary integrity is confirmed intact.