Back to skill
Skillv0.1.1
ClawScan security
Teslamate Skills · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
ReviewMar 16, 2026, 11:30 PM
- Verdict
- Review
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill appears to do what it says (query TeslaMate via Grafana) but it sends precise vehicle coordinates and route requests to public third‑party services and disables SSL verification — a privacy and network security concern the user should understand before installing.
- Guidance
- This skill is functionally coherent but has important privacy/network risks you should consider before installing: it sends exact vehicle coordinates and destination addresses to external public services (Nominatim and OSRM) and the script disables TLS certificate verification for those requests (mitigates TLS failures but opens MITM risk). If you care about location privacy or operate on untrusted networks, host your own geocoding/routing services or remove/modify those calls. Also verify the grafana_url in ~/.openclaw/workspace/memory/teslamate-grafana-config.json points to your trusted Grafana instance (the script will query whatever URL is configured). If unsure, inspect and run scripts locally in a controlled environment, and consider modifying the code to enable SSL verification and to avoid calling public endpoints with raw coordinates.
Review Dimensions
- Purpose & Capability
- okName/description match the code and instructions: the script queries Grafana's /api/ds/query with PostgreSQL raw SQL to extract TeslaMate data and offers drives, status, routing, etc. Requiring a local Grafana datasource is coherent.
- Instruction Scope
- concernRuntime instructions and the included script perform additional network actions beyond querying Grafana: reverse geocoding and geocoding (Nominatim) and route requests (OSRM) using precise lat/lon. Those calls transmit vehicle location data to external services; the SKILL.md/README mention address lookup and route planning but do not make the privacy implications prominent.
- Install Mechanism
- okInstruction-only skill with no install spec and only a small Python script — nothing is downloaded or installed automatically. This lowers installer risk.
- Credentials
- noteThe skill requests no credentials or env vars (configuration is read from a local JSON file). That is proportionate. However, the script will contact arbitrary Grafana URLs taken from that config, which could be pointed at sensitive internal endpoints; the skill will also contact public Nominatim and OSRM endpoints, leaking location data if used.
- Persistence & Privilege
- okalways is false and the skill does not request or modify other skills or system-wide settings. It only reads/writes its own config file under ~/.openclaw/workspace/memory, which is expected behavior.