Back to skill

Security audit

Tesla Control via Tessie

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it says, but it gives an agent powerful real-world Tesla control without enough built-in safety checks.

Install only if you intentionally want an agent to access your Tessie account and control your Tesla. Prefer a protected secret store over shell-profile storage, verify the VIN before commands, require explicit human confirmation in your workflow for unlock, trunk/frunk, charging, climate, location, and software-update actions, and enable the cron job only if recurring Tessie checks are desired.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill requires both environment-variable access and outbound network access to control Tesla vehicles via the Tessie API, but those capabilities are not explicitly declared. This weakens reviewability and consent because a user may not realize the skill can read credentials and send remote vehicle-control commands to a third-party service.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The script exposes software update scheduling and cancellation actions that are not disclosed in the manifest description, creating a capability mismatch between what users or orchestrators expect and what the code can do. Hidden or under-declared remote-control features increase the chance of misuse, surprise actions, and unsafe delegation in an agent context.

Description-Behavior Mismatch

Low
Confidence
84% confidence
Finding
The boombox/fart command is an undisclosed capability that falls outside the manifest's specifically stated control set. While low impact compared with lock/unlock, undisclosed commands are still risky in agent environments because they weaken transparency and informed consent about what the skill may trigger remotely.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The description is broad enough to match nearly any Tesla-related request, including sensitive control actions like unlock, trunk open, and climate/charging changes. Over-broad triggering increases the chance the skill is invoked in contexts where the user intended only informational assistance, enabling unintended real-world actions.

Missing User Warnings

High
Confidence
96% confidence
Finding
The documentation advertises powerful vehicle-control actions such as unlock, open trunks, honk/flash, charging changes, and software-update scheduling without prominent warnings or confirmation requirements. Because these commands affect a physical asset and can expose vehicle access or location, lack of safety guidance materially raises the risk of accidental or unauthorized misuse.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill instructs users to persistently store the Tessie API key in shell profiles without warning that this creates long-lived credential exposure on the host. If the profile file, terminal history, backups, or multi-user environment is compromised, the key could be used to query location and issue remote vehicle commands.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The reference documents numerous real-world vehicle control actions such as unlock, trunk opening, climate control, charging changes, and HomeLink triggering without any safety guidance, confirmation requirements, or warnings about physical consequences. In the context of a skill designed to remotely control Tesla vehicles, this omission increases the risk that downstream agent implementations will expose dangerous commands casually or trigger them without informed user consent.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script directly executes impactful remote vehicle actions such as unlock, trunk opening, climate control, and charging changes without any confirmation, policy check, or friction step. In an agent setting, this makes prompt mistakes, unauthorized requests, or ambiguous user instructions far more likely to result in real-world effects on a vehicle.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.