Back to skill
Skillv1.1.1
VirusTotal security
Tesla Smart Charge · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 3:35 AM
- Hash
- eb16ae146135ee09196b777dbc272c728d0f1047c1bf9213c5b41c85758aafec
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: tesla-smart-charge Version: 1.1.1 The skill is classified as suspicious due to a critical shell injection vulnerability in `scripts/tesla-smart-charge.py`. The `start_charging` method uses `subprocess.run` with `shell=True` and interpolates the `TESLA_EMAIL` environment variable directly into the command string. Although email validation (`_is_valid_email`) exists, it is not called before `start_charging` is invoked, allowing an attacker to inject arbitrary shell commands by manipulating the `TESLA_EMAIL` environment variable. This directly contradicts the security claim in `SKILL.md` that states 'No shell injection risk: Uses argument lists instead of shell=True'.
- External report
- View on VirusTotal