coda.io
PassAudited by ClawScan on May 1, 2026.
Overview
This skill is a straightforward Coda.io reading CLI, but it requires a Coda API token and can expose Coda document contents to the agent.
This appears coherent and purpose-aligned for reading Coda.io documents. Before installing, make sure you are comfortable giving the CLI a Coda API token and allowing the agent to read Coda pages you select or ask it to access.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may be able to list and read Coda documents that the token can access.
The skill requires a Coda API token, which gives the CLI delegated access to the user's Coda account according to the token's permissions.
metadata: {"openclaw":{"requires":{"bins":["coda-ai"],"env":["CODA_API_TOKEN"]},"primaryEnv":"CODA_API_TOKEN"Use a least-privilege Coda token where possible, avoid using tokens with unnecessary workspace access, and revoke the token if you stop using the skill.
Private Coda content could be shown to or processed by the agent, and document text could influence the agent's responses.
The skill is designed to bring Coda page content into the agent's working context, which may include sensitive or untrusted document text.
coda-ai read --docId <docId> --pageId <pageId> # markdown (default, recommended for AI Agents)
Only read Coda pages you intend to share with the agent, and treat instructions found inside documents as untrusted unless you explicitly approve them.
Installing the package adds a local command that will handle the Coda API token and document data.
The skill relies on installing an external npm package as its CLI implementation; this is expected for the skill, but users are trusting that package.
npm install -g coda-ai@0.2.2
Install from the expected npm package, review the linked project if needed, and consider pinning the intended version consistently.