← Back to Skills Marketplace
Tesla Smart Charge
by
thibautrey
· GitHub ↗
· v1.1.1
1264
Downloads
0
Stars
0
Active Installs
3
Versions
Install in OpenClaw
/install tesla-smart-charge
Description
Schedules Tesla charging on specified dates with target battery % and times, managing charge limits during and after sessions for battery health.
Usage Guidance
What to consider before installing:
- Inconsistency: The package metadata does not declare TESLA_EMAIL or the 'tesla' skill dependency, but SKILL.md and the script require them. Expect to provide TESLA_EMAIL and to install/configure the separate 'tesla' skill with its API credentials before this will work.
- Injection risk: Despite claims of 'no shell injection risk', the script uses subprocess.run(..., shell=True) when starting charging, embedding variables into a shell string. This can be exploited if untrusted input ever reaches that string (TESLA_EMAIL or path). Ask the author to replace that call with a safe argument-list invocation (like other places in the script use) or patch locally before use.
- Credential handling: The docs suggest putting TESLA_EMAIL directly into cron task lines. Avoid placing credentials on command lines (they can be visible to other users/processes). Use secure environment storage (systemd service env files, cron's secure env support, or an agent-managed secret store) and ensure the 'tesla' skill stores tokens securely.
- Audit the dependent 'tesla' skill: This skill delegates all API interactions to scripts/tesla.py in a sibling 'tesla' skill. Inspect that script (and any stored tokens/config) before granting it access to your account — it performs the actual API calls and may hold or transmit sensitive tokens.
- Minor fixes to request: The author should update registry metadata to declare required env vars and dependencies, and correct the SKILL.md claim about injection safety. If you rely on this skill, run it in an isolated account/container and review logs initially.
If you want, I can: (1) point out the exact lines in the included script to patch (replace the shell=True call), (2) produce a safer, patched version of start_charging and the cron examples, or (3) scan the included 'tesla' skill (if you provide it) for credential handling behaviors.
Capability Analysis
Type: OpenClaw Skill
Name: tesla-smart-charge
Version: 1.1.1
The skill is classified as suspicious due to a critical shell injection vulnerability in `scripts/tesla-smart-charge.py`. The `start_charging` method uses `subprocess.run` with `shell=True` and interpolates the `TESLA_EMAIL` environment variable directly into the command string. Although email validation (`_is_valid_email`) exists, it is not called before `start_charging` is invoked, allowing an attacker to inject arbitrary shell commands by manipulating the `TESLA_EMAIL` environment variable. This directly contradicts the security claim in `SKILL.md` that states 'No shell injection risk: Uses argument lists instead of shell=True'.
Capability Assessment
Purpose & Capability
The skill's stated purpose (schedule and manage Tesla charge limits) matches the included script and docs: it legitimately needs a Tesla account and the existing 'tesla' skill to operate. However registry metadata does not declare any required env vars or a Tesla dependency while SKILL.md and the script both require TESLA_EMAIL and a 'tesla' skill; this mismatch is an incoherence that could mislead users or automated installers.
Instruction Scope
SKILL.md instructs the agent to run cron jobs and to set TESLA_EMAIL in the environment, and the script reads a local schedule and writes plan/session JSON files in the skill 'memory' directory — those actions are within scope. However the SKILL.md asserts 'No shell injection risk' while the script actually invokes the other Tesla helper with subprocess.run using shell=True in start_charging (interpolating TESLA_EMAIL and paths). That is a concrete injection risk and contradicts the README/SKILL.md claim. The instructions also recommend embedding TESLA_EMAIL directly into cron task lines (exposing the email on the system command line), which is poor practice for sensitive credentials.
Install Mechanism
No install spec or third-party downloads are used — this is an instruction-only skill with source files included. That keeps disk/write risk limited to the packaged files. There are no external URLs or archive extraction steps in the bundle.
Credentials
The SKILL.md and script require TESLA_EMAIL and a configured 'tesla' skill (which will hold API credentials). The registry metadata, however, lists no required env vars or primary credential. This omission is misleading: users/installers may not realize they must provide TESLA_EMAIL and ensure the tesla skill has credentials. The skill itself does not request broad unrelated secrets, but the dependency on another skill for credentials introduces an implicit credential surface that is not declared.
Persistence & Privilege
The skill is not marked always:true and does not request elevated system privileges. It writes to its own memory/ files under the skills tree (charge plan and session state) which is expected for its purpose. The recommended cron usage runs the script on a schedule but that is user-controlled. There is no evidence it modifies other skills or system-wide agent settings.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install tesla-smart-charge - After installation, invoke the skill by name or use
/tesla-smart-charge - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.1.1
Ensure description syncs to clawhub. Smart Tesla charging scheduler with secure credential handling, multi-charger support, and battery health optimization via charge limit management.
v1.1.0
Security fixes: Replaced shell=True with safe argument lists, added email/input validation, explicitly declared TESLA_EMAIL and 'tesla' skill dependency in metadata. Prevents command injection and clarifies required environment setup.
v1.0.0
Initial Tesla Smart Charge release
Metadata
Frequently Asked Questions
What is Tesla Smart Charge?
Schedules Tesla charging on specified dates with target battery % and times, managing charge limits during and after sessions for battery health. It is an AI Agent Skill for Claude Code / OpenClaw, with 1264 downloads so far.
How do I install Tesla Smart Charge?
Run "/install tesla-smart-charge" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Tesla Smart Charge free?
Yes, Tesla Smart Charge is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Tesla Smart Charge support?
Tesla Smart Charge is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Tesla Smart Charge?
It is built and maintained by thibautrey (@thibautrey); the current version is v1.1.1.
More Skills