Is my-tesla safe?

https://clawhub.ai/officialpm/my-tesla

82
SAFE

my-tesla is a well-maintained personal Tesla vehicle control skill with 64 incremental versions, extensive test coverage, and thoughtful privacy defaults (coordinate rounding, VIN suppression, sanitized JSON output). No prompt injection, data exfiltration code, or malicious behavior was detected. The primary risks are inherent to the skill's purpose: Tesla OAuth tokens stored in a predictable location, raw commands that can output GPS coordinates, and physical vehicle control accessible via CLI flags. The --yes safety gate on destructive actions is a good mitigation but relies on the agent respecting it.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 72/100 · 25%
Code Execution 75/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 60/100 · 5%

Findings (8)

MEDIUM Tesla OAuth tokens stored in predictable location -15

The skill caches Tesla OAuth tokens at ~/.tesla_cache.json with best-effort 0600 permissions. These tokens grant full vehicle control and are stored in a well-known, documented location that any other skill or process on the machine could read.

MEDIUM Raw vehicle data output can leak precise GPS coordinates -13

Commands like status --json, location --yes, report --json --raw-json, and summary --json --raw-json output raw vehicle_data including precise GPS coordinates. If an agent is tricked into running these and forwarding output, location privacy is compromised.

MEDIUM Third-party PyPI dependency (teslapy) -15

The skill depends on teslapy>=2.0.0 from PyPI. This is a known community library for Tesla API access, but it represents an implicit supply chain trust boundary. A compromised teslapy package could intercept OAuth tokens or execute arbitrary code.

LOW Executable Python script with broad vehicle control -10

scripts/tesla.py is a fully executable Python script capable of locking/unlocking, climate control, charging management, trunk/frunk actuation, window control, and location tracking. While all destructive actions require --yes, the breadth of control is significant.

LOW Physical safety implications of vehicle control -25

Unlike most software skills, this skill controls a physical vehicle. Accidental or malicious invocation of unlock, trunk open, window vent, or honk has real-world consequences. The --yes gate is the only programmatic safeguard.

LOW Multi-skill token theft vector -15

In a multi-skill environment, the documented cache file location (~/.tesla_cache.json) could be targeted by a malicious co-installed skill to steal Tesla API tokens.

INFO No prompt injection vectors detected -10

SKILL.md is clean documentation with standard CLI usage instructions. No hidden instructions, persona overrides, encoding tricks, or external URL fetching directives were found.

INFO Clean install with no suspicious activity -10

The skill installed cleanly with no network activity, no process spawning, no filesystem changes outside expected paths, and no firewall blocks. All observed filesystem events were from the OpenClaw runtime, not the skill.