Tesla Commands
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill matches its Tesla-control purpose, but it gives an agent token-backed ability to change vehicle settings and schedules, including an undocumented schedule-removal command, without clear approval safeguards.
Install only if you want the agent to control Tesla vehicle functions through MyTeslaMate. Before use, confirm the exact VIN and action, avoid leaving the API token available longer than necessary, and be especially careful with charging schedule changes or removals.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked incorrectly, the agent could change climate or charging settings on a real vehicle, potentially affecting battery use, charging behavior, cost, or user expectations.
The tool sends POST commands that change live vehicle state, but the artifacts do not show confirmation prompts, safety gating, or enforcement of the documented charge-limit range before sending the request.
elif args.climate:
action = "auto_conditioning_start" if args.climate == "on" else "auto_conditioning_stop"
print(json.dumps(call_api(f"command/{action}", method="POST", vin=args.vin)))
elif args.charge_limit:
print(json.dumps(call_api("command/set_charge_limit", method="POST", data={"percent": args.charge_limit}, vin=args.vin)))Require explicit user confirmation for every mutating vehicle command, validate local input ranges, and make the target VIN and requested action clear before execution.
A user may install the skill expecting only the documented actions, while the executable includes an additional schedule-deletion action.
The code exposes a command that completely removes charge schedules, but SKILL.md lists only set and clear schedule options and does not document this more destructive capability.
parser.add_argument("--remove-schedules", action="store_true", help="Completely remove all charge schedules")
...
elif args.remove_schedules:
# According to Tesla Fleet API, remove_charge_schedule completely deletes the configuration
print(json.dumps(call_api("command/remove_charge_schedule", method="POST", data={}, vin=args.vin)))Document all mutating commands in SKILL.md, especially destructive or irreversible ones, and require confirmation before removing schedules.
Anyone or any agent session with this token available can access the configured MyTeslaMate account functions exposed by the tool.
The skill requires a bearer token for vehicle access, but the supplied registry metadata declares no required environment variables and no primary credential, reducing visibility into the privilege being granted.
- `TESLA_MATE_TOKEN`: Your MyTeslaMate API token. - `TESLA_VIN`: Your vehicle's VIN
Declare the token and VIN requirements in metadata, use the least-privileged API token available, and avoid exposing the token outside sessions where vehicle control is needed.
Using the status command may reveal private vehicle telemetry, including location, to the agent context.
Vehicle status output can include sensitive location and lock-state information that may enter the agent conversation or logs.
- `--status`: Fetch full vehicle data (battery, climate, location, locks, etc.).
Use status queries only when needed, avoid sharing outputs unnecessarily, and treat vehicle location and lock status as sensitive information.