Tesla Control via Tessie
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: tesla-tessie Version: 1.0.0 The skill is designed to control and monitor Tesla vehicles via the Tessie API. It requires a `TESSIE_API_KEY` environment variable, which is used to authenticate requests to the legitimate `https://api.tessie.com` endpoint. The Python scripts (`scripts/tessie.py`, `scripts/check-updates.py`) perform network requests and parse JSON responses, all directly related to the stated purpose. The `SKILL.md` instructions are clear, transparent, and do not contain any prompt injection attempts or directives for malicious actions. The suggested cron job for update notifications is a legitimate use of persistence for the skill's functionality. All observed behaviors are aligned with the stated purpose and lack evidence of intentional harm, data exfiltration to unauthorized endpoints, or other malicious activities.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked too broadly or by mistake, the agent could unlock the car, open storage compartments, change charging or climate state, or schedule an immediate software update.
The script directly sends vehicle mutation commands that can affect physical access or vehicle availability, and the artifacts do not show an explicit confirmation or safety policy before these actions run.
elif action == 'unlock': ... result = invoke_command(api_key, args.vin, 'unlock') ... elif action == 'open_trunk': ... 'rear_trunk' ... elif action == 'schedule_update': seconds = int(args.value) if args.value else 0 ... 'command/schedule_software_update'
Require explicit user confirmation for unlock, trunk, charging, climate, and software-update commands; restrict allowed actions where possible; and add validation for sensitive values such as charge limit and temperature.
Anyone or any process with access to that environment variable may be able to use the Tessie API with the same vehicle permissions.
The Tessie API key is expected for this integration, but it grants access to Tesla account vehicle data and commands, and the instructions suggest storing it persistently.
Set the `TESSIE_API_KEY` environment variable ... export TESSIE_API_KEY="your-api-key-here" ... For persistent storage, add to your shell profile
Treat the Tessie API key like a password, avoid storing it in shared profiles if not needed, rotate it if exposed, and use least-privilege or read-only credentials if Tessie supports them.
Users have less external assurance about who maintains the skill or where updates originate.
The included code is visible and no hidden installer is shown, but provenance is limited for a skill that controls a physical device.
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill.
Review the included scripts before use, prefer a trusted source, and install dependencies in a controlled environment such as a virtual environment.
A recurring task could continue checking the vehicle account every six hours until the user removes it.
This is an optional, disclosed scheduled task that would keep periodically using the skill after setup.
cron add --schedule "0 */6 * * *" --text "Check my Tesla for software updates and notify me if one is available"
Only create the cron task if you want ongoing monitoring, include a specific VIN if needed, and remove the schedule when you no longer want notifications.