tescmd
WarnAudited by ClawScan on May 10, 2026.
Overview
The guide is coherent for a Tesla integration, but it sets up external components with persistent vehicle-control and telemetry access without showing the runtime safety limits in the reviewed artifact.
Install this only if you are comfortable giving OpenClaw and the tescmd components access to control and monitor your Tesla. Verify the external packages, complete OAuth and pairing yourself, require manual confirmation for vehicle-affecting actions, and know how to disable the plugin and revoke tokens.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent or workflow with access to the installed tools could potentially affect a vehicle or request telemetry if the runtime plugin does not enforce clear user confirmation and safety boundaries.
After setup, the agent-accessible plugin can issue signed commands to a real vehicle, but the reviewed setup artifact does not document runtime approval requirements, safe command limits, or containment for those high-impact tools.
Once installed and paired, the plugin automatically registers all tools, commands, slash commands, and telemetry event types... 39 agent-callable tools... Vehicle Command Protocol (VCSEC — signed commands)... Tesla Vehicle
Review the runtime tescmd tool documentation before enabling it, require explicit user confirmation for vehicle-affecting commands, and disable the plugin when not actively needed.
The integration may hold account or vehicle authorization tokens that allow access to Tesla vehicle data and commands.
The setup uses Tesla OAuth/account authorization, which is expected for Tesla vehicle integration but grants sensitive delegated access.
tescmd auth status... This should show a valid token. If it shows expired or missing, the user needs to re-run: tescmd auth login
Use the minimum necessary account privileges, keep tokens protected, and know how to revoke Tesla and OpenClaw node access.
If the external package source is compromised or not the intended package, it could receive sensitive vehicle/account permissions during setup.
The guide asks the user to install external plugin and Python packages whose executable code is not included in this instruction-only artifact; this is normal for setup, but users must trust those sources before granting Tesla access.
openclaw plugins install @oceanswave/openclaw-tescmd... pip install tescmd
Install only from the intended publisher/repository, verify package names and versions, and review the external project before authenticating with Tesla.
Vehicle telemetry can include sensitive information such as location, status, and usage patterns.
The integration intentionally streams vehicle telemetry through gateway/WebSocket infrastructure and may expose a public HTTPS endpoint; this is purpose-aligned but privacy-sensitive.
Real-time telemetry streaming... Fleet Telemetry Stream (WebSocket)... Tailscale provides a public HTTPS endpoint for Tesla Fleet Telemetry streaming
Confirm endpoint authentication, limit telemetry exposure where possible, and review retention/sharing behavior before enabling streaming.