Back to skill

Security audit

My Tesla

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Tesla control CLI with sensitive but purpose-aligned account, vehicle, location, and local history handling.

Install only if you are comfortable giving this skill Tesla account access and the ability to send remote vehicle commands. Treat tokens, raw vehicle JSON, precise location output, and mileage exports as private data; consider tightening permissions on ~/.my_tesla/mileage.sqlite if the machine is shared.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill clearly uses sensitive capabilities including environment variables, local file read/write, and shell execution, but does not declare permissions. That weakens user consent and reviewability because operators cannot accurately assess that the skill handles Tesla credentials, token caches, local config, and command execution. In a vehicle-control skill, undeclared capabilities are more dangerous because they combine privileged account access with the ability to persist sensitive data locally.

Tp4

High
Category
MCP Tool Poisoning
Confidence
90% confidence
Finding
The description understates the actual behavior and omits multiple sensitive and safety-relevant capabilities, including remote vehicle actuation, persistent telemetry storage, scheduled charging changes, precise location output, and actions like honk, flash, trunk/frunk, windows, sentry, and charge-port control. This mismatch can mislead users or reviewers into granting trust to a skill that has broader control over a physical asset than advertised. The context makes this more dangerous because the target is a real vehicle, so unexpected actions can affect privacy, safety, and physical security.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill includes a mileage subsystem that persistently records odometer readings and exports them from a local SQLite database, which exceeds the narrowly described remote-control/status scope. While not overtly malicious, this expands data collection and retention in a way users may not expect, creating privacy risk and increasing the blast radius if the local machine or exported files are accessed by another process or user.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The code stores longitudinal vehicle telemetry history over time in a local SQLite database, including timestamps, vehicle identifiers, names, odometer values, and notes. Persistent historical telemetry can reveal travel patterns and vehicle usage over time, and the database path is created without an explicit permission hardening step, so local compromise or accidental sharing could expose sensitive behavioral data.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
- Make `location` safer by default: show approximate (rounded) coordinates unless `--yes` is provided for precise.

## 0.1.11 — 2026-01-28
- Remove `--yes` safety gate from `location` (prints coordinates + maps link without confirmation).

## 0.1.10 — 2026-01-28
- Refactor: centralize missing-email handling into a single helper with a clearer example.
Confidence
81% confidence
Finding
without confirmation

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.