coda.io
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: coda-ai Version: 0.2.3 The skill provides a CLI wrapper for interacting with Coda.io, allowing agents to list documents, pages, and read content. It requires a `CODA_API_TOKEN` for authentication, which is standard for API access, and instructs the agent to install the `coda-ai` npm package. The `SKILL.md` instructions are clear, align with the stated purpose, and do not contain any prompt injection attempts, data exfiltration commands, or other malicious behaviors. Credential storage is noted to use secure 0600 permissions.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may be able to list and read Coda documents that the token can access.
The skill requires a Coda API token, which gives the CLI delegated access to the user's Coda account according to the token's permissions.
metadata: {"openclaw":{"requires":{"bins":["coda-ai"],"env":["CODA_API_TOKEN"]},"primaryEnv":"CODA_API_TOKEN"Use a least-privilege Coda token where possible, avoid using tokens with unnecessary workspace access, and revoke the token if you stop using the skill.
Private Coda content could be shown to or processed by the agent, and document text could influence the agent's responses.
The skill is designed to bring Coda page content into the agent's working context, which may include sensitive or untrusted document text.
coda-ai read --docId <docId> --pageId <pageId> # markdown (default, recommended for AI Agents)
Only read Coda pages you intend to share with the agent, and treat instructions found inside documents as untrusted unless you explicitly approve them.
Installing the package adds a local command that will handle the Coda API token and document data.
The skill relies on installing an external npm package as its CLI implementation; this is expected for the skill, but users are trusting that package.
npm install -g coda-ai@0.2.2
Install from the expected npm package, review the linked project if needed, and consider pinning the intended version consistently.