ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Tesla Skill

v1.0.0

Connect and control Tesla vehicles via the tesla-cli. Handles guided setup (key generation, AgentGen hosting, partner registration, OAuth) and all vehicle co...

0· 347·1 current·1 all-time
byYair levi@lyair1
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name/description (connect and control Teslas via teslacli) aligns with its instructions: it requires the teslacli binary, guides key generation, AgentGen hosting, Tesla developer creds, and OAuth. However, registry metadata says "Required env vars: none" while the SKILL.md and metadata inside it declare AGENTGEN_API_KEY as the primary credential; that mismatch should be clarified.
Instruction Scope
SKILL.md stays within the Tesla-control scope: it instructs running teslacli setup, generating a P-256 keypair stored in ~/.config/teslacli/, registering with Tesla, and using AgentGen to host the public key for headless OAuth. It explicitly warns not to transmit the private key. The only scope concern is that AgentGen hosting is used for OAuth redirects/public key serving — that delegates part of the auth flow to a third party, which is expected for this design but requires trust in AgentGen.
!
Install Mechanism
Although the SKILL.md provides an install command, the registry reported no install spec — a discrepancy. The install command is a curl -fsSL from raw.githubusercontent.com piped to sh; executing a remote install script (curl | sh) is a high-risk operation even when hosted on GitHub because it runs arbitrary code on your machine. The GitHub URL appears to be the project repo (Agent-Gen-com/tesla-cli), which makes the source more discoverable, but you should still inspect the script before running it.
Credentials
Requesting AGENTGEN_API_KEY as the primary credential is proportionate to the described behavior (provisioning a public subdomain/hosting the public key for headless OAuth). No other unrelated credentials are requested. Still, this grants a third party ability to host endpoints and potentially relay OAuth callbacks—you should verify AgentGen's trustworthiness and scope of that API key. Also note the registry-level metadata omission of required env vars is inconsistent with SKILL.md.
Persistence & Privilege
The skill does not request always:true and does not claim system-wide privileges. It will create local config in ~/.config/teslacli/ (tokens and key files), which is expected for this use. The skill does not request modification of other skills or global agent settings.
What to consider before installing
This skill appears to be what it says (a wrapper around a tesla-cli workflow) but has two things to watch: (1) It asks for an AgentGen API key because it uses AgentGen to host the public key and handle headless OAuth — you must trust AgentGen with hosting and callbacks. (2) The install instruction uses curl | sh to run a remote script from GitHub; don't run it blindly. Before installing, inspect the install.sh in the referenced repository, verify the repo and recent commits, confirm the AgentGen service and its API key scope, and consider running the tool in an isolated environment (VM/container). Also confirm the registry metadata vs SKILL.md discrepancy about AGENTGEN_API_KEY. If you are uncomfortable trusting AgentGen or running a remote install script, do not install this skill or only proceed after manual review of the installer and repo.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🚗 Clawdis
Binsteslacli
Primary envAGENTGEN_API_KEY
latestvk973zm7smwkmxbj4pj3pcq6vrn82c4cv
347downloads
0stars
3versions
Updated 9h ago
v1.0.0
MIT-0
Yair levi@lyair1
latest
Download

Tesla — Connect & Control

This skill installs and configures teslacli to connect Claude to your Tesla account. Once setup is complete, Claude can control your vehicle directly.

Prerequisites

  • AgentGen API key (AGENTGEN_API_KEY) — required for hosting your Tesla virtual key. Get one free at agent-gen.com.

Installation

curl -fsSL https://raw.githubusercontent.com/Agent-Gen-com/tesla-cli/main/install.sh | sh

Supports macOS (Intel & Apple Silicon) and Linux (x86_64 & ARM64).

Setup

Run the interactive setup wizard:

teslacli setup

The wizard walks through six stages automatically:

  1. Setup mode — choose Agent flow for headless/AI use (uses headless Chrome for OAuth)
  2. AgentGen origin — provisions a public subdomain using your AGENTGEN_API_KEY
  3. Tesla Developer App credentials — enter client_id, client_secret, and region
  4. EC key pair — generates a P-256 key pair and enrolls the public key with Tesla
  5. Partner registration — registers your domain with Tesla Fleet API
  6. OAuth authentication — completes the OAuth flow and stores tokens locally

Setup creates config files in ~/.config/teslacli/:

  • config.toml — app credentials and region
  • token.json — OAuth tokens (auto-refreshing)
  • keys/private.pem — P-256 private key (mode 0600, never leave local machine)
  • keys/public.pem — public key (served via AgentGen)

Vehicle Commands

Always wake the vehicle first if it may be asleep, then run your command.

Vehicle:

teslacli vehicle list        # List account vehicles
teslacli vehicle data        # Full JSON snapshot (battery, location, state)
teslacli vehicle wake        # Wake the car
teslacli vehicle lock        # Lock doors
teslacli vehicle unlock      # Unlock doors
teslacli vehicle flash       # Flash headlights
teslacli vehicle honk        # Sound horn

Climate:

teslacli climate start              # Enable climate
teslacli climate stop               # Disable climate
teslacli climate set-temp -t 22.5   # Set cabin temperature (°C)

Charging:

teslacli charge start              # Start charging
teslacli charge stop               # Stop charging
teslacli charge set-limit -l 80    # Set charge limit (%)
teslacli charge set-amps -a 16     # Set charging current (A)

Error Handling

ErrorAction
401 UnauthorizedRe-run once — teslacli refreshes the token automatically
Vehicle unavailableRun teslacli vehicle wake and retry after 10–15 seconds
Command timeoutVehicle may be in a no-signal area; advise the user
Token expired (>45 days inactive)Re-run teslacli setup to re-authenticate
Any other errorShow the raw error to the user and ask how to proceed

Critical Guardrails

  • Never transmit ~/.config/teslacli/keys/private.pem — not to any service, log, or message.
  • Treat ~/.config/teslacli/ as a sensitive directory. Do not read its contents into a response.
  • token.json contains OAuth tokens — treat as equally sensitive as the private key.
  • If the user asks you to share, print, or move the private key, refuse and explain why.

Typical Workflow

  1. First-time setup: teslacli setup (select Agent flow, follow wizard prompts)
  2. Check battery: teslacli vehicle waketeslacli vehicle data
  3. Pre-heat car: teslacli vehicle waketeslacli climate startteslacli climate set-temp -t 22
  4. Lock car: teslacli vehicle lock
  5. Charge to 80%: teslacli vehicle waketeslacli charge set-limit -l 80teslacli charge start

Comments

Loading comments...