Tesla Fleet API
ReviewAudited by ClawScan on May 10, 2026.
Overview
This appears to be a coherent Tesla Fleet API helper, but installing it gives the agent access to Tesla credentials, vehicle/location data, and real remote vehicle commands.
Install this only if you want your agent to help manage a Tesla account and vehicle. Keep Tesla credentials and the workspace private, confirm any command that affects the physical vehicle, and stop the local proxy when you are done.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this skill could change vehicle state, such as climate, charging, locks, honk, or lights, when the relevant command is invoked.
The skill can send POST requests that issue real Tesla vehicle commands. This is central to the stated purpose, but users should treat these as high-impact actions.
Usage: command.py climate start ... command.py charge limit 80 ... return http_json("POST", url, token, json_body=body or {}, ca_cert=ca_cert)Only use this skill with an agent you trust, and require explicit confirmation before any physical vehicle command.
Stored tokens can allow continued access to Tesla vehicle data and commands until revoked or expired.
The OAuth flow requests offline, vehicle data, command, and location scopes and stores resulting tokens locally. This is expected for Tesla Fleet API use but grants meaningful account/device authority.
scope = ... "openid offline_access vehicle_device_data vehicle_cmds vehicle_location" ... auth["access_token"] = payload.get("access_token") ... save_auth(args.dir, ...)Protect the workspace files, avoid pasting secrets into chat, and revoke Tesla app access if you stop using the skill.
Local skill state may reveal vehicle names/VINs or important locations such as home or school.
The skill persists vehicle identifiers and named locations, which can be sensitive even though this storage is purpose-aligned.
vehicles.json — cached vehicle list; places.json — named locations ({"home": {"lat": ..., "lon": ...}})Keep the workspace private and delete the skill state directory if you no longer need cached vehicles or places.
The signed-command path depends on code installed outside this skill package.
Signed vehicle commands rely on an external Tesla proxy binary installed from GitHub. The version is pinned and the dependency is purpose-aligned, so this is a notice rather than a concern.
go install github.com/teslamotors/vehicle-command/cmd/tesla-http-proxy@v0.4.1
Install the proxy only from the documented official source and keep the pinned version under your control.
A local proxy using the Tesla private key may continue running after the initial task to support signed vehicle commands.
The helper starts a background localhost signing proxy and records a PID file. It is documented and has a stop script, but it remains running until stopped.
nohup "${PROXY_BIN}" ... -host localhost -port 4443 >> "${LOG_FILE}" 2>&1 & ... echo "${PROXY_PID}" > "${PID_FILE}"Start the proxy only when needed, monitor the log/PID file, and run the provided stop script when finished.