My Tesla
ReviewAudited by ClawScan on May 10, 2026.
Overview
This skill is coherently designed to control a Tesla account and vehicles, but users should treat it as high-impact because it can use Tesla credentials, reveal location, change vehicle state, and optionally run a background mileage job.
Install this only if you are comfortable letting the agent access your Tesla account and run vehicle-control commands. Keep the token cache private, prefer sanitized outputs, require explicit approval before any --yes command or precise location request, and enable the launchd mileage tracker only if you want ongoing background tracking.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used carelessly, the agent could unlock the car, change charging behavior, open or close vehicle components, or otherwise affect the vehicle.
These are remote commands that can change vehicle security, charging, windows, or other physical state. The --yes gate is disclosed and purpose-aligned, but it should represent real user approval.
Some commands (unlock/charge start|stop|limit|amps/trunk/windows/seats set/sentry on|off/honk/flash/charge-port open|close/scheduled-charging set|off) require `--yes`.
Only allow state-changing commands after an explicit user request, and treat any command containing --yes as requiring human confirmation.
Anyone or any agent process that can use the cached Tesla token may be able to query or control the associated vehicles.
The skill authenticates to the Tesla account and caches OAuth access locally, giving it delegated Owner API access to the user's vehicles.
CACHE_FILE = Path.home() / ".tesla_cache.json" ... teslapy.Tesla(email, authenticator=custom_auth, cache_file=str(CACHE_FILE))
Protect the local cache file, use the skill only on trusted machines, and revoke/re-authenticate Tesla access if the machine or cache may be compromised.
Precise location or trip-related data could be exposed in chat output, logs, copied files, or downstream tools if raw JSON is requested.
Raw Tesla vehicle data can include sensitive location and drive-state information. The documentation warns about this and offers sanitized alternatives.
NOTE: `status --json` outputs *raw* `vehicle_data`, which may include location/drive_state. Prefer `summary --json` (sanitized) or `report --json` (sanitized) unless you explicitly need the raw payload.
Prefer sanitized summary/report outputs, avoid sharing raw vehicle_data, and use precise location or raw JSON only when necessary.
If enabled, the mileage recorder continues running in the background and periodically contacts Tesla until the launch agent is unloaded.
The README documents an optional persistent macOS launchd job that records mileage hourly.
Create `~/Library/LaunchAgents/com.mytesla.mileage.plist` ... `<key>StartInterval</key><integer>3600</integer>` ... `launchctl load -w ~/Library/LaunchAgents/com.mytesla.mileage.plist`
Install the launchd job only if ongoing mileage tracking is desired, and document how to unload it when no longer needed.
Different installations may use different teslapy versions, which could affect behavior or inherit upstream package risk.
The skill depends on an external Python package with a lower-bound version rather than a pinned exact version. This is common for CLI integrations but leaves package-version provenance to the user's environment.
dependencies = [ # "teslapy>=2.0.0", # ]
Install dependencies from trusted package sources and consider pinning teslapy to a reviewed version in a controlled environment.