Back to skill

Security audit

Tesla Fleet API

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Tesla Fleet API skill that is powerful because it can read vehicle data and issue real vehicle commands, but the behavior is disclosed and purpose-aligned.

Install only if you want an agent to access your Tesla account and vehicle. Keep config.json, auth.json, private-key.pem, cached telemetry, and proxy files private; use official Tesla regional URLs or the localhost proxy only; stop the proxy when finished; and require explicit approval before unlock, honk, charging, climate, wake, or location commands.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Tainted flow: 'req' from os.environ.get (line 170, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
ctx = ssl.create_default_context()

    try:
        with urllib.request.urlopen(req, context=ctx) as resp:
            return json.loads(resp.read().decode("utf-8"))
    except urllib.error.HTTPError as e:
        text = e.read().decode("utf-8", errors="replace") if hasattr(e, "read") else ""
Confidence
82% confidence
Finding
with urllib.request.urlopen(req, context=ctx) as resp:

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill declares powerful capabilities through metadata and documented behavior, including use of environment secrets, local file storage, shell execution, and network access, but does not expose an explicit permissions declaration to help a host or user gate those actions. In a skill that can authenticate to Tesla APIs and issue remote vehicle commands, that mismatch reduces transparency and increases the chance of over-privileged or unexpected execution.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The setup guide explicitly instructs users to store OAuth tokens and provider credentials in workspace files, including client secrets and refresh/access tokens, but it does not include clear handling guidance such as file-permission restrictions, exclusion from version control, or warnings about token theft risk. In a skill that enables remote access to Tesla vehicle data and signed commands, compromise of these files could allow unauthorized API use and potentially remote vehicle actions.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill description presents remote-control features such as unlock, wake, climate, and charging actions without a prominent warning that these perform real operations against a physical vehicle. In this context, insufficient warning is dangerous because users or higher-level agents may treat examples as harmless queries and trigger unintended security-relevant state changes on an actual car.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The vehicle-data section documents retrieval and display of location information but does not warn that GPS coordinates, vehicle identity, and related telemetry are sensitive personal data. In a fleet/vehicle context, exposing or casually displaying this data can enable tracking, profiling, and inference about home/work locations or vehicle presence.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.