v1.0.0

Tesla Commands

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 4:51 AM.

Analysis

This skill is mostly purpose-aligned, but it can directly change Tesla vehicle settings and includes an undocumented command that deletes charging schedules.

GuidanceOnly install this if you are comfortable giving the agent a MyTeslaMate token that can view vehicle data and change Tesla settings. Review the undocumented schedule-removal command, use a limited or revocable token if possible, and require explicit confirmation before climate, charging, wake, or schedule changes.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusConcern

bin/tesla-control.py

parser.add_argument("--remove-schedules", action="store_true", help="Completely remove all charge schedules") ... call_api("command/remove_charge_schedule", method="POST", data={}, vin=args.vin)

The code exposes a command that completely removes charging schedules, but this option is not listed in SKILL.md's tool options. That under-discloses a high-impact mutation of vehicle charging behavior.

User impactIf invoked, the agent could delete configured charging schedules, which may affect when the car charges, costs, or vehicle readiness.

RecommendationDocument this command clearly in SKILL.md, require explicit user confirmation before schedule deletion, or remove the option if it is not intended.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusConcern

SKILL.md

`--wake`: Wake up the vehicle from sleep mode. ... `--climate [on|off]`: Start or stop the climate control. ... `--charge-limit [50-100]`: Set the battery charge limit percentage. ... `--set-schedule [HH:MM]`: Set a scheduled charging start time.

The skill exposes direct commands that change a physical vehicle's state and charging behavior, but the artifacts do not define approval, confirmation, scope, or rollback requirements for those actions.

User impactAn agent using this skill with a valid token could change climate or charging settings if a command is invoked incorrectly or without enough user review.

RecommendationRequire clear user confirmation before any vehicle-changing POST command, validate requested values, and consider limiting allowed actions or VINs.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusNote

SKILL.md

`TESLA_MATE_TOKEN`: Your MyTeslaMate API token. ... `--status`: Fetch full vehicle data (battery, climate, location, locks, etc.).

The required API token and status command are expected for a Tesla control skill, but they grant access to sensitive account and vehicle data, including location and lock state.

User impactAnyone or any agent session with access to the token can retrieve sensitive vehicle information and issue supported control commands.

RecommendationUse a dedicated, revocable token if available, keep it out of shared environments, and avoid running status commands in conversations where location or lock-state output should not be exposed.