ClawHub

Coda Packs

v1.0.0

Manage private Coda Packs by listing, creating, updating metadata, and deleting Packs using the Coda REST API v1 and CODA_API_TOKEN.

0· 937·3 current·3 all-time
byTFM@0x7466
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md and the included Python CLI implement Coda Pack management via the Coda REST API and explicitly require CODA_API_TOKEN — that capability matches the name/purpose. However, the registry metadata lists no required environment variables even though the skill needs an API token, which is an inconsistency between declared metadata and actual requirements.
Instruction Scope
Runtime instructions are scoped to listing/creating/updating/deleting private Packs and to using the Pack SDK for builds/advanced features. The SKILL.md does not instruct the agent to read unrelated system files or exfiltrate data to unexpected endpoints; it only requires the Coda API token and standard HTTP access to coda.io.
Install Mechanism
There is no install spec (instruction-only), which reduces install-time risk. However, the skill includes an executable Python CLI script (scripts/coda_packs_cli.py) that will be run by the agent; the package does not provide an automated install step or sandboxing guidance. This is reasonable but worth noting: code will run locally when invoked.
!
Credentials
The tool legitimately requires a single credential (CODA_API_TOKEN) for the coda.io API, which is proportionate. The concern is that the registry metadata does not declare this required environment variable while SKILL.md and the script both require it. Missing metadata can lead users or automated systems to grant incorrect permissions or miss required secrets.
Persistence & Privilege
The skill does not request always:true and does not attempt to modify other skills or system-wide settings. It runs on-demand (or can be invoked autonomously per platform defaults), which is normal for skills.
What to consider before installing
This skill appears to do what it says (manage Coda Packs) and the included Python code matches the documentation, but the registry metadata incorrectly omits the required CODA_API_TOKEN. Before installing: (1) confirm the publisher and trust the source; (2) only provide a CODA API token scoped to Pack management (least privilege); (3) prefer creating a dedicated account/token for automation that can be revoked; (4) review and, if possible, run the included script in a sandbox or test environment first to observe network calls (they should be to coda.io only); (5) ask the publisher to update registry metadata to declare CODA_API_TOKEN so automated permission checks are accurate. If you cannot verify the source or cannot scope the token safely, avoid installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk973bcdmmbtcfegw1cjqcsse0x80rmwv

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments