ClawHub

Tesla Smart Charge

Security checks across malware telemetry and agentic risk

Overview

This skill is meant to automate Tesla charging, but it needs review because it controls a real vehicle account on a recurring schedule and contains a shell-based charge-start path that contradicts its own safety claims.

Review carefully before installing. Only use it if you are comfortable giving an automation access to your Tesla account behavior, and avoid enabling cron until you have verified the schedule file, credential handling, timezone assumptions, and how to disable the jobs. Do not use --auto-start unless the shell=True charge-start path is fixed or otherwise contained.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def start_charging(self):
        """Trigger charging on the vehicle"""
        try:
            subprocess.run(
                f'TESLA_EMAIL="{self.tesla_email}" python3 {self.tesla_skill_dir}/scripts/tesla.py charge start',
                shell=True,
                check=True,
Confidence
99% confidence
Finding
subprocess.run( f'TESLA_EMAIL="{self.tesla_email}" python3 {self.tesla_skill_dir}/scripts/tesla.py charge start', shell=True, check=True,

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
The docstring claims the tool calculates and manages scheduling, but the implementation can directly start charging when auto_start is enabled. This mismatch is dangerous because users or higher-level agents may authorize the skill under a lower-risk assumption, leading to unintended physical actions on a vehicle.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation states that on days without a scheduled charge, the skill will still remotely change the vehicle's charge limit to 80% (or another configured value), but it does not clearly warn users that this causes unattended state changes to their Tesla account and vehicle settings even when no charging is planned. In a vehicle-control context, silent remote modification is security-relevant because users may enable automation expecting read/check behavior only, while the skill performs write actions that persist and may affect operational readiness or battery behavior.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The recommended cron jobs are presented as routine setup, but the documentation does not clearly warn that enabling them authorizes recurring unattended remote actions against the user's Tesla account, including charge scheduling and charge-limit changes. Because this is a high-trust automation context involving a real vehicle, omission of that warning increases the risk of users deploying persistent automation without fully understanding that it will continuously issue control actions in the background.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation explicitly states that a daily cron-triggered script will automatically execute vehicle charging when a scheduled date matches, but it does not present a clear warning that this is an autonomous action affecting a physical device. In a home/vehicle automation context, unattended charging can have safety, cost, and operational consequences, so users should be clearly informed before enabling persistence.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script can automatically start vehicle charging based on timing logic without a second confirmation, safety prompt, or dry-run mode. In a home-automation or agent context, this increases the chance of unintended physical actions, energy cost impact, or unsafe operation if scheduling inputs are wrong or manipulated.

Session Persistence

Medium
Category
Rogue Agent
Content
## Quick Setup

Create a cron job that runs at midnight and checks if a charge is scheduled:

```bash
clawdbot cron add \
Confidence
84% confidence
Finding
Create a cron job that

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal