tescmd
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: Developer: Version: Description: OpenClaw Agent Skill The skill bundle is classified as suspicious primarily due to the use of `curl -fsSL https://tailscale.com/install.sh | sh` in SKILL.md for installing Tailscale. While `tailscale.com` is a legitimate domain, this command executes arbitrary remote code directly, which is a high-risk practice and a common vector for supply chain attacks if the remote script or domain were compromised. Additionally, the skill involves extensive system-level operations (e.g., `sudo` commands for package installation) and establishes network connections for vehicle control, which are inherently high-risk capabilities, even if intended for the stated purpose.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent or workflow with access to the installed tools could potentially affect a vehicle or request telemetry if the runtime plugin does not enforce clear user confirmation and safety boundaries.
After setup, the agent-accessible plugin can issue signed commands to a real vehicle, but the reviewed setup artifact does not document runtime approval requirements, safe command limits, or containment for those high-impact tools.
Once installed and paired, the plugin automatically registers all tools, commands, slash commands, and telemetry event types... 39 agent-callable tools... Vehicle Command Protocol (VCSEC — signed commands)... Tesla Vehicle
Review the runtime tescmd tool documentation before enabling it, require explicit user confirmation for vehicle-affecting commands, and disable the plugin when not actively needed.
The integration may hold account or vehicle authorization tokens that allow access to Tesla vehicle data and commands.
The setup uses Tesla OAuth/account authorization, which is expected for Tesla vehicle integration but grants sensitive delegated access.
tescmd auth status... This should show a valid token. If it shows expired or missing, the user needs to re-run: tescmd auth login
Use the minimum necessary account privileges, keep tokens protected, and know how to revoke Tesla and OpenClaw node access.
If the external package source is compromised or not the intended package, it could receive sensitive vehicle/account permissions during setup.
The guide asks the user to install external plugin and Python packages whose executable code is not included in this instruction-only artifact; this is normal for setup, but users must trust those sources before granting Tesla access.
openclaw plugins install @oceanswave/openclaw-tescmd... pip install tescmd
Install only from the intended publisher/repository, verify package names and versions, and review the external project before authenticating with Tesla.
Vehicle telemetry can include sensitive information such as location, status, and usage patterns.
The integration intentionally streams vehicle telemetry through gateway/WebSocket infrastructure and may expose a public HTTPS endpoint; this is purpose-aligned but privacy-sensitive.
Real-time telemetry streaming... Fleet Telemetry Stream (WebSocket)... Tailscale provides a public HTTPS endpoint for Tesla Fleet Telemetry streaming
Confirm endpoint authentication, limit telemetry exposure where possible, and review retention/sharing behavior before enabling streaming.