Tesla Smart Charge

What to consider before installing: - Inconsistency: The package metadata does not declare TESLA_EMAIL or the 'tesla' skill dependency, but SKILL.md and the script require them. Expect to provide TESLA_EMAIL and to install/configure the separate 'tesla' skill with its API credentials before this will work. - Injection risk: Despite claims of 'no shell injection risk', the script uses subprocess.run(..., shell=True) when starting charging, embedding variables into a shell string. This can be exploited if untrusted input ever reaches that string (TESLA_EMAIL or path). Ask the author to replace that call with a safe argument-list invocation (like other places in the script use) or patch locally before use. - Credential handling: The docs suggest putting TESLA_EMAIL directly into cron task lines. Avoid placing credentials on command lines (they can be visible to other users/processes). Use secure environment storage (systemd service env files, cron's secure env support, or an agent-managed secret store) and ensure the 'tesla' skill stores tokens securely. - Audit the dependent 'tesla' skill: This skill delegates all API interactions to scripts/tesla.py in a sibling 'tesla' skill. Inspect that script (and any stored tokens/config) before granting it access to your account — it performs the actual API calls and may hold or transmit sensitive tokens. - Minor fixes to request: The author should update registry metadata to declare required env vars and dependencies, and correct the SKILL.md claim about injection safety. If you rely on this skill, run it in an isolated account/container and review logs initially. If you want, I can: (1) point out the exact lines in the included script to patch (replace the shell=True call), (2) produce a safer, patched version of start_charging and the cron examples, or (3) scan the included 'tesla' skill (if you provide it) for credential handling behaviors.