Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
tescmd
v1.0.0Installation and setup guide for Tesla vehicle control and telemetry via the tescmd node.
⭐ 2· 2.1k·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md describes installing a Gateway plugin and a tescmd node to control Tesla vehicles — that aligns with the skill name and description. However, the registry metadata declares no required binaries or credentials while the instructions explicitly require git, GitHub CLI (gh), Python 3.11+, and (recommended) Tailscale; this mismatch is an inconsistency in the published metadata.
Instruction Scope
The instructions stay within the stated purpose: installing the plugin, installing the tescmd CLI, running an interactive setup that generates keys, performing OAuth login with Tesla, hosting a public key (GitHub Pages or Tailscale), and pairing the node. They do instruct writing tokens/keys to local config (e.g., ~/.config/tescmd/bridge.json) and require physical presence for vehicle pairing — all expected for this use case.
Install Mechanism
This is an instruction-only skill (no automatic install). The install steps call 'pip install tescmd' and suggest running 'curl ... | sh' to install Tailscale if desired. Those are normal for user-driven installs but carry moderate risk (PyPI package, remote install script). The skill does not automatically download or run code itself, but the user will execute network-installed software.
Credentials
Although the registry shows no required env vars or primary credential, the setup requires GitHub authentication (gh login) and a Tesla account OAuth flow; it also generates and hosts EC public keys and stores tokens locally. Sensitive credentials and access (GitHub repo/pages, Tesla OAuth tokens) are involved but not declared in metadata — the omission reduces transparency and is a proportionality concern.
Persistence & Privilege
The skill does not request 'always: true' and uses normal plugin/node pairing. The tescmd node persists an auth token to a user config path (~/.config/tescmd/bridge.json), which is expected for this integration. No instructions indicate modifying other skills or system-wide settings.
What to consider before installing
This skill appears to be a legitimate setup guide for the tescmd node, but before installing: 1) Be aware you will need to run interactive flows that create OAuth tokens and EC keys and host a public key (GitHub Pages or Tailscale) — these involve your GitHub and Tesla accounts. 2) The registry metadata did not declare the required tools (git, gh, python, optionally tailscale); treat that as a transparency gap. 3) 'pip install tescmd' and any 'curl | sh' installer fetch and run code from the network — review the tescmd and installer sources (GitHub repo and PyPI package) to ensure they are trustworthy. 4) Consider performing the setup on an isolated machine or VM, inspect ~/.config/tescmd/bridge.json after setup, and avoid sharing tokens. If you want me to, I can: (a) fetch and summarize the tescmd GitHub repo contents for suspicious patterns, (b) list exactly which files/paths the setup writes, or (c) walk you step-by-step through doing this in an isolated environment.Like a lobster shell, security has layers — review code before you run it.
fleet telemetryvk97dx6prpp0x5net2xa1fgjae980chbklatestvk971tqrm8je1yb523c3228wn8980kphrtescmdvk97dx6prpp0x5net2xa1fgjae980chbkteslavk97dx6prpp0x5net2xa1fgjae980chbkvehiclevk97dx6prpp0x5net2xa1fgjae980chbk
License
MIT-0
Free to use, modify, and redistribute. No attribution required.