ClawHub

tescmd

Security checks across malware telemetry and agentic risk

Overview

This setup guide is not malicious, but it enables agent-connected Tesla vehicle access with persistent credentials and a risky remote installer pattern, so it belongs in Review.

Install only if you trust the @oceanswave OpenClaw plugin, the tescmd Python package, the Tesla Developer/Fleet API setup, and the gateway you connect to. Prefer official signed install channels over curl-to-shell, complete OAuth and vehicle pairing yourself, protect files under ~/.config/tescmd with restrictive permissions, avoid passing tokens on command lines when possible, review the runtime tescmd tools before allowing agent access, and know how to stop the node and revoke stored tokens.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The guide instructs users to place highly sensitive values such as Tesla client secrets and OpenClaw gateway tokens in CLI flags and a local .env file, but it does not explicitly warn that these credentials grant access to vehicle APIs or gateway connectivity and must be protected. In this context, exposure could allow unauthorized vehicle control, telemetry access, or node impersonation if shell history, logs, screenshots, or weak filesystem permissions leak the secrets.

External Script Fetching

High
Category
Supply Chain
Content
If not installed:
- macOS: `brew install tailscale` or download from https://tailscale.com/download
- Linux: `curl -fsSL https://tailscale.com/install.sh | sh`

If not logged in:
```bash
Confidence
97% confidence
Finding
curl -fsSL https://tailscale.com/install.sh | sh

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal