Tesla Skill

Security checks across malware telemetry and agentic risk

Overview

This skill is openly meant to control a Tesla, but it gives an agent sensitive vehicle-control authority without clear per-action confirmation rules.

Install only if you trust the teslacli/AgentGen source and are comfortable giving an agent Tesla account and vehicle-control authority. Inspect or pin the installer before running it, protect ~/.config/teslacli/, and require explicit approval for every command that unlocks, wakes, honks, changes climate, changes charging, or retrieves location/state data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (4)

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The skill explicitly enables remote vehicle control actions such as unlock, honk, flash, climate, and charging, but does not include meaningful safety, authorization, or consent checks before describing those capabilities. In context, this is more dangerous than ordinary device control because it affects a physical asset and could facilitate unauthorized access or unsafe actions if invoked for the wrong vehicle or user.

External Script Fetching

Low

Category: Supply Chain
Content: - teslacli install: - kind: shell cmd: "curl -fsSL https://raw.githubusercontent.com/Agent-Gen-com/tesla-cli/main/install.sh | sh" bins: [teslacli] ---
Confidence: 97% confidence
Finding: curl -fsSL https://raw.githubusercontent.com/Agent-Gen-com/tesla-cli/main/install.sh | sh

External Script Fetching

Low

Category: Supply Chain
Content: ## Installation ```sh curl -fsSL https://raw.githubusercontent.com/Agent-Gen-com/tesla-cli/main/install.sh | sh ``` Supports macOS (Intel & Apple Silicon) and Linux (x86_64 & ARM64).
Confidence: 97% confidence
Finding: curl -fsSL https://raw.githubusercontent.com/Agent-Gen-com/tesla-cli/main/install.sh | sh

Chaining Abuse

High

Category: Tool Misuse
Content: ## Installation ```sh curl -fsSL https://raw.githubusercontent.com/Agent-Gen-com/tesla-cli/main/install.sh | sh ``` Supports macOS (Intel & Apple Silicon) and Linux (x86_64 & ARM64).
Confidence: 98% confidence
Finding: | sh

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal