Version
2.0.3
Status: pending_audit
Created: 1/16/2026, 8:01:14 PM
LatestaiWARN
Risk: mediumStarted: 1/16/2026, 8:02:05 PMCompleted: 1/16/2026, 8:02:14 PM
View report details
{
"notes": "No obfuscated/encoded payloads or unsafe prompt patterns detected. Skill issues vehicle control commands; human approval recommended for safety.",
"risks": [
{
"category": "network",
"evidence": "tessie.sh sets TESSIE_API_URL default to https://api.tessie.com and performs HTTP requests; README documents GET/POST to api.tessie.com endpoints.",
"severity": "medium",
"recommendation": "Ensure network access is restricted to api.tessie.com and document this explicitly in deployment allowlist."
},
{
"category": "exfil",
"evidence": "Skill reads API key from config/env (TESSIE_API_KEY) and uses it in Authorization header for API calls.",
"severity": "medium",
"recommendation": "Confirm API key is stored securely and avoid logging request headers or responses that could expose credentials."
}
],
"summary": "Skill performs authenticated network requests to Tessie API using user-provided API key; no obfuscation or exfiltration detected, but external control of vehicle functions warrants review.",
"verdict": "warn",
"allowNetwork": [
"api.tessie.com",
"tessie.com",
"developer.tessie.com"
],
"requireHumanReview": true
}dependencyWARN
Risk: mediumStarted: 1/16/2026, 8:02:05 PMCompleted: 1/16/2026, 8:02:05 PM
View report details
{
"requires": {
"env": [],
"bins": [],
"config": [],
"anyBins": []
},
"installers": [],
"references": {
"tools": [],
"connectors": []
},
"dependencies": []
}licensePASS
Risk: lowStarted: n/aCompleted: n/a
View report details
{
"license": "MIT",
"allowlisted": true
}metadataPASS
Risk: lowStarted: n/aCompleted: n/a
View report details
{
"name": "Tessie Tesla Control",
"type": "tool",
"license": "MIT",
"version": "2.0.3",
"homepage": "https://clawdhub.com/baanish/tessie",
"security": {
"openSource": true,
"safeListed": false,
"auditRequired": true,
"requireSource": false,
"requiresAudit": true,
"repositoryHost": null,
"declaredOpenSource": true,
"declaredAuditRequired": null,
"repositoryHostAllowed": null
},
"repository": null,
"description": "Control Tesla vehicles via Tessie API - check battery, range, location, manage climate, charging, and view recent drives",
"sourceBytes": 7559,
"capabilities": [
"vehicle-status",
"vehicle-control",
"climate-control",
"charging-control",
"location-read"
],
"sourceCommit": null,
"sourceSha256": "c39709fe29009d274deb828a7a8dd427dc68b8097e884064cadfd8e418b72d5e"
}sandboxPASS
Risk: lowStarted: 1/16/2026, 8:02:05 PMCompleted: 1/16/2026, 8:02:05 PM
View report details
{
"reason": "sandbox deferred in v1",
"skipped": true
}staticPASS
Risk: lowStarted: 1/16/2026, 8:02:05 PMCompleted: 1/16/2026, 8:02:05 PM
View report details
{
"flags": [],
"fileCount": 3,
"sourceScan": {
"totalFiles": 3,
"scannedFiles": 3,
"skippedBytes": 0,
"skippedFiles": 0,
"suspiciousFiles": [
{
"path": "SECURITY_AUDIT.md",
"reasons": [
"network",
"secrets"
],
"excerpts": [
"### 5. API Request Handling ✅",
"**Check**: How are HTTP requests made?",
"- `--fail`: Exit on HTTP errors (prevents processing bad responses)",
"TESSIE_API_KEY=$(jq -r '.skills.entries.tessie.apiKey // empty' \"$CONFIG_FILE\")",
"- `2>/dev/null`: Suppresses curl debug output (prevents token leakage)",
"1. ✅ **APPROVED FOR USE** - Token can be added to config"
]
},
{
"path": "SKILL.md",
"reasons": [
"network",
"secrets"
],
"excerpts": [
"1. Go to https://tessie.com/developers",
"GET https://api.tessie.com/vehicles",
"GET https://api.tessie.com/{VIN}/drives?limit=10",
" apiKey: \"your-tessie-api-key-here\"",
"export TESSIE_API_KEY=\"your-tessie-api-key-here\"",
"Authorization: Bearer <api-key>"
]
},
{
"path": "tessie.sh",
"reasons": [
"network",
"secrets"
],
"excerpts": [
"TESSIE_API_URL=\"${TESSIE_API_URL:-https://api.tessie.com}\"",
"# Helper: Make API request",
" # If vehicle ID is set, fetch VIN from vehicles endpoint",
" TESSIE_API_KEY=$(jq -r '.skills.entries.tessie.apiKey // empty' \"$CONFIG_FILE\" 2>/dev/null || echo \"\")"
]
}
]
}
}