Back to skill

Security audit

Tesla

Security checks across malware telemetry and agentic risk

Overview

This Tesla skill appears legitimate and purpose-aligned, but it grants powerful vehicle-control and location access with under-scoped safeguards and credential storage guidance.

Install only if you trust the machine and operators using it. Treat the Tesla token cache as a password, prefer explicit vehicle selection for every command, and be cautious with unlock, honk, climate, charging, and location commands because they can affect or reveal a real vehicle.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill declares an environment variable requirement (`TESLA_EMAIL`) but does not declare corresponding permissions despite accessing sensitive account-linked functionality. In a vehicle-control context, missing or incomplete permission signaling weakens user awareness and review controls around a skill that can lock, unlock, locate, and otherwise control a physical asset.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The README advertises sensitive capabilities including unlock, climate control, charging, and precise vehicle location without clearly warning users about the physical safety, privacy, and abuse implications of granting these permissions. In a skill that controls a real vehicle, omission of such warnings can lead users to enable powerful actions without understanding the consequences of misuse, accidental invocation, or account compromise.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The authentication instructions tell users to export an email address and complete OAuth while noting that tokens are cached locally for about 30 days, but they do not emphasize that the cached refresh token is highly sensitive and effectively grants continued access to vehicle controls. If the local system is shared or compromised, token theft could allow an attacker to track the car, unlock it, or issue other remote commands.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill states that commands target the first vehicle when `--car` is omitted, but it does not present this as a prominent warning despite supporting security-sensitive actions like unlock, climate control, honk, and charging. In a multi-vehicle account, ambiguous targeting can cause unintended actions on the wrong car, including unlocking or revealing the location of an unintended vehicle.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The location command prints precise latitude/longitude and a Google Maps link, which sends sensitive vehicle location data to an external service when used. In a vehicle-control skill, this is privacy-sensitive because it can reveal a user's real-time whereabouts and home/work patterns, and there is no explicit warning, consent prompt, or privacy-preserving option.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script stores Tesla authentication material in a persistent cache file under the user's home directory without any disclosure, permission hardening, or secure-storage mechanism. If that file is exposed through weak filesystem permissions, backups, multi-user access, or other local compromise, an attacker may gain access to Tesla account sessions and vehicle-control capabilities.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.