coda.io
v0.2.3CLI to read Coda.io documents and pages. List docs, list pages, read content in markdown/json/html.
⭐ 0· 1.2k·4 current·5 all-time
byAnik Datta@auniik
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description, required binary (coda-ai), required env var (CODA_API_TOKEN), and install instruction (npm package coda-ai) are coherent for a Coda.io-reading CLI. No unrelated services or credentials are requested.
Instruction Scope
SKILL.md stays within scope (list docs/pages, read content). It instructs the user to place CODA_API_TOKEN in a .env file and run coda-ai auth --from-file .env. The CLI stores credentials at ~/.coda-ai/config.json (0600). Storing a token on disk is expected but worth noting from a security perspective.
Install Mechanism
Install uses an npm package (coda-ai) which is appropriate for providing a Node-based CLI. npm packages carry the usual supply-chain risk (moderate) but the mechanism itself is expected for this functionality.
Credentials
Only one credential is required (CODA_API_TOKEN) and it is the primary credential necessary to access Coda. There are no extra unrelated environment variables or credentials requested.
Persistence & Privilege
Skill does not request always:true and is user-invocable only. The only persistence is the CLI storing the token under the user's home (~/.coda-ai/config.json), which is reasonable for a CLI that manages auth.
Assessment
This skill appears coherent with its stated purpose, but review these practical precautions before installing: 1) Verify the npm package and upstream repo (https://github.com/auniik/coda-ai and the npm page) to ensure you trust the publisher and version. 2) Prefer a least-privilege Coda API token; avoid using broad or account-level tokens. 3) The instructions create a .env file and the CLI stores the token at ~/.coda-ai/config.json (0600). Do not check .env into source control and confirm the config file permissions. 4) If you prefer not to persist the token on disk, consider exporting CODA_API_TOKEN into the environment for temporary use and removing it afterward. 5) After use, remove stored credentials with coda-ai logout and rotate tokens if they were exposed. 6) Be aware npm packages can change—pin to a specific trustable version and review changes when updating.Like a lobster shell, security has layers — review code before you run it.
Runtime requirements
Binscoda-ai
EnvCODA_API_TOKEN
Primary envCODA_API_TOKEN
Install
Install coda-ai (npm)
Bins: coda-ai
npm i -g coda-ailatest
coda-ai
CLI to read Coda.io content for AI agents.
Workflow
- docs → list all documents
- pages → list pages in a doc
- read → get page content
Setup (once)
npm install -g coda-ai@0.2.2
# Auth (Coda API token)
echo "CODA_API_TOKEN=YOUR_TOKEN" > .env
coda-ai auth --from-file .env
coda-ai whoami # verify auth
Credentials & Storage
- Stored at:
~/.coda-ai/config.json(written with 0600 permissions) - Remove stored credentials:
coda-ai logout
Commands
List Documents
coda-ai docs --compact # only id + name in toon format (recommended for AI Agents)
coda-ai docs # full data in toon format
coda-ai docs --format json # full data in json
coda-ai docs --format table # human-readable table
Returns: All docs sorted by most recent update. Use id field for next step.
List Pages
coda-ai pages --docId <docId> --compact # only id + name, toon format (recommended for AI Agents)
coda-ai pages --docId <docId> --format json # full data in json
coda-ai pages --docId <docId> --format tree # visual tree
coda-ai pages --docId <docId> # full data in toon format (default)
Returns: Page hierarchy. Use pageId for next step.
Read Content
coda-ai read --docId <docId> --pageId <pageId> # markdown (default, recommended for AI Agents)
coda-ai read --docId <docId> --pageId <pageId> --format json # structured data in json
coda-ai read --docId <docId> --pageId <pageId> --format html # html export
Reference
Full docs: https://github.com/auniik/coda-ai#readme
Comments
Loading comments...