Tesla China
面向中国特斯拉车主的远程控制技能,基于特斯拉官方车队 API(Fleet API)实现,使用简单、体验自然。
MIT-0 · Free to use, modify, and redistribute. No attribution required.
⭐ 0 · 28 · 0 current installs · 0 all-time installs
MIT-0
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to be a client for Tesla's Fleet API, but rather than calling Tesla's official endpoints it directs all requests to https://tesla.dhuar.com and requires an apiKey obtained from that site. A user might reasonably expect direct communication with Tesla; routing credentials and vehicle data through a third party is not implied by the description and is disproportionate to the stated purpose without further justification.
Instruction Scope
The SKILL.md and scripts instruct the agent/user to store an apiKey in ~/.tesla_cn.json or pass it on the command line. The runtime behavior appends that apiKey (and VINs / request data) as query parameters to the proxy URL. The instructions do not attempt to read other system files, but they do direct potentially sensitive vehicle data and credentials to an external service (tesla.dhuar.com).
Install Mechanism
There is no install spec or remote downloader — the skill is instruction plus two small JS scripts. Nothing is fetched from arbitrary URLs at install time. This is low risk from an installation perspective.
Credentials
No platform environment variables are requested, but the skill requires an apiKey which the user must obtain from a third party and store locally. That apiKey is effectively a credential granting remote control; requesting it (and guiding the user to a non‑official issuer) is a disproportionate trust requirement given the skill's description. The scripts also require writing a file in the user's home directory (~/.tesla_cn.json) to persist that secret.
Persistence & Privilege
The skill does not request always:true and can be invoked by the user. It does write/modify a single config file (~/.tesla_cn.json) in the user's home directory to store the apiKey — this is expected for storing a credential but is persistent and should be considered sensitive.
What to consider before installing
This skill is coherent and the code is small and readable, but it relies on a third‑party proxy (https://tesla.dhuar.com) and asks you to obtain and store an apiKey from that site. Before installing or using it: 1) Verify who runs tesla.dhuar.com and whether you trust them to receive your apiKey, VINs, and vehicle telemetry/location; 2) Prefer using official Tesla authentication if possible, or only use a revocable/dedicated key; 3) Understand that the skill will store the apiKey in ~/.tesla_cn.json (anyone with file access can read it) — consider file permissions and storing secrets in a safer vault; 4) If unsure, contact the author or run the scripts in an isolated environment and monitor outbound requests to confirm behavior; 5) If you proceed, treat the apiKey as sensitive and be prepared to revoke it if you lose trust in the proxy service.scripts/tesla-command.js:123
Environment variable access combined with network send.
scripts/tesla-command.js:131
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
Current versionv1.0.1
Download ziplatest
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
SKILL.md
Tesla CN Skill
面向中国特斯拉车主的远程控制技能,基于特斯拉官方车队 API(Fleet API)实现,使用简单、体验自然。
Setup
Requirements
- Node.js 18 或更高版本(内置
fetch) - 一个在
https://tesla.dhuar.com获取的apiKey
{baseDir}通常为当前 workspace 根目录,例如/home/robin/.openclaw/workspace。
apiKey 存放位置(推荐)
默认会从当前用户主目录下的 ~/.tesla_cn.json 读取 apiKey。
配置文件示例内容:
{
"apiKey": "YOUR_API_KEY"
}
- Linux / macOS:路径形如
/home/<user>/.tesla_cn.json或/Users/<user>/.tesla_cn.json - Windows:路径形如
C:\Users\<User>\.tesla_cn.json(内部仍使用用户主目录自动解析)
如果同时在命令行参数中传入
apiKey=...,命令行参数优先,会覆盖配置文件中的值。
一键初始化配置文件
你可以使用随技能附带的脚本来创建或更新 ~/.tesla_cn.json:
node {baseDir}/skills/tesla-cn/scripts/init-tesla-config.js \
apiKey="YOUR_API_KEY"
成功后会在当前用户主目录生成/更新 ~/.tesla_cn.json,之后使用下面的命令时可以省略 apiKey 参数。
参数格式
- 第 1 个参数:
type=...(endpoints/commands/endpoints/commands) - 第 2 个参数:
name=... - 第 3 个及之后:可选
vin=...、data='{"key":"value"}'
Commands
# 车辆列表(GET /api/1/vehicles)
node {baseDir}/skills/tesla-cn/scripts/tesla-command.js \
type=endpoints \
name=list
# 车辆详情(GET /api/1/vehicles/{vin})
node {baseDir}/skills/tesla-cn/scripts/tesla-command.js \
type=endpoints \
name=vehicle \
vin="YOUR_VIN"
# 车辆实时状态(GET /api/1/vehicles/{vin}/vehicle_data)
node {baseDir}/skills/tesla-cn/scripts/tesla-command.js \
type=endpoints \
name=vehicle_data \
vin="YOUR_VIN"
# 车辆允许的驾驶员列表(GET /api/1/vehicles/{vin}/drivers)
node {baseDir}/skills/tesla-cn/scripts/tesla-command.js \
type=endpoints \
name=drivers \
vin="YOUR_VIN"
# 车辆订阅资格(GET /api/1/dx/vehicles/subscriptions/eligibility?vin={vin})
node {baseDir}/skills/tesla-cn/scripts/tesla-command.js \
type=endpoints \
name=eligible_subscriptions \
vin="YOUR_VIN"
# 车辆保修信息(GET /api/1/dx/warranty/details)
node {baseDir}/skills/tesla-cn/scripts/tesla-command.js \
type=endpoints \
name=warranty_details
# fleet_status:多个车辆的聚合状态(POST /api/1/vehicles/fleet_status)
node {baseDir}/skills/tesla-cn/scripts/tesla-command.js \
type=endpoints \
name=fleet_status \
data='{"vins":["VIN1","VIN2"]}'
# 唤醒车辆(POST /api/1/vehicles/{vin}/wake_up)
node {baseDir}/skills/tesla-cn/scripts/tesla-command.js \
type=endpoints \
name=wake_up \
vin="YOUR_VIN"
# 开启车内空调(POST /api/1/vehicles/{vin}/command/auto_conditioning_start)
node {baseDir}/skills/tesla-cn/scripts/tesla-command.js \
type=commands \
name=auto_conditioning_start \
vin="YOUR_VIN"
# 关闭车内空调(POST /api/1/vehicles/{vin}/command/auto_conditioning_stop)
node {baseDir}/skills/tesla-cn/scripts/tesla-command.js \
type=commands \
name=auto_conditioning_stop \
vin="YOUR_VIN"
# 闪灯(POST /api/1/vehicles/{vin}/command/flash_lights)
node {baseDir}/skills/tesla-cn/scripts/tesla-command.js \
type=commands \
name=flash_lights \
vin="YOUR_VIN"
# 车门上锁(POST /api/1/vehicles/{vin}/command/door_lock)
node {baseDir}/skills/tesla-cn/scripts/tesla-command.js \
type=commands \
name=door_lock \
vin="YOUR_VIN"
# 打开充电口盖(POST /api/1/vehicles/{vin}/command/charge_port_door_open)
node {baseDir}/skills/tesla-cn/scripts/tesla-command.js \
type=commands \
name=charge_port_door_open \
vin="YOUR_VIN"
# 关闭充电口盖(POST /api/1/vehicles/{vin}/command/charge_port_door_close)
node {baseDir}/skills/tesla-cn/scripts/tesla-command.js \
type=commands \
name=charge_port_door_close \
vin="YOUR_VIN"
# 前备箱 / 后备箱(POST /api/1/vehicles/{vin}/command/actuate_trunk)
# which_trunk 可为 "front" 或 "rear"
node {baseDir}/skills/tesla-cn/scripts/tesla-command.js \
type=commands \
name=actuate_trunk \
vin="YOUR_VIN" \
data='{"which_trunk":"front"}'
node {baseDir}/skills/tesla-cn/scripts/tesla-command.js \
type=commands \
name=actuate_trunk \
vin="YOUR_VIN" \
data='{"which_trunk":"rear"}'
# 鸣笛(POST /api/1/vehicles/{vin}/command/honk_horn)
node {baseDir}/skills/tesla-cn/scripts/tesla-command.js \
type=commands \
name=honk_horn \
vin="YOUR_VIN"
# 远程外放声音(POST /api/1/vehicles/{vin}/command/remote_boombox)
# 声音 ID 示例:
# 0 → 随机放屁
# 2000 → 定位哔声
node {baseDir}/skills/tesla-cn/scripts/tesla-command.js \
type=commands \
name=remote_boombox \
vin="YOUR_VIN" \
data='{"sound":2000}'
Safety
- 这是对 Tesla 车辆的远程控制,建议先使用
list命令确认连接与权限,再尝试commands。 - 避免在不确认环境安全的情况下对真实车辆执行
door_lock/actuate_trunk等操作。 honk_horn、remote_boombox等命令可能对周围造成骚扰,建议在安全、合规的环境中谨慎使用。
Privacy
- 不要将你的
apiKey、VIN 或包含位置信息的原始响应输出提交到 git 仓库。 - 如需分享日志,建议先手动脱敏(去掉
apiKey、VIN、地理位置等字段)。
Files
3 totalSelect a file
Select a file to preview.
Comments
Loading comments…