ClawHub

Coda

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate Coda API skill, but it should be treated as powerful because it can edit/delete Coda content, manage OAuth connections, and change document sharing.

Install only if you trust Maton with access to the connected Coda account. Before approving any write, delete, connection, or sharing change, verify the exact Coda account, document, table/page/row, principal, permission level, and intended effect.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The manifest advertises a narrower purpose than the documented capability set, omitting connection management, ACL/permission changes, analytics, controls, and other endpoints. This can cause agents or users to invoke the skill under the false assumption that it only manipulates document content, increasing the chance of unexpected privileged actions.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill includes OAuth connection lifecycle operations even though its stated purpose is content management within Coda. Exposing connection creation, listing, retrieval, and deletion broadens authority and can let an agent alter authentication state or switch accounts beyond the user's expected task.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The security section claims access is limited to docs, pages, tables, rows, and formulas, but the documented endpoints also allow ACL changes, analytics access, controls access, categories queries, and connection-resource interaction. This is a misleading security claim that understates the skill's real power and may cause unsafe approvals or autonomous use.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The documentation states access is scoped to content objects but later exposes permission-management endpoints that can add or remove collaborators on docs. Sharing changes can exfiltrate data indirectly by granting outsiders access, making this materially more dangerous than ordinary content editing.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The invocation guidance is broad and may cause the skill to be selected for generic Coda requests without clear boundaries around sensitive non-content operations. In a skill that also supports deletes, sharing changes, and connection management, over-broad routing increases the likelihood of misuse or overprivileged execution.

Tool Parameter Abuse

High
Category
Tool Misuse
Content
#### Delete Permission

```bash
DELETE /coda/apis/v1/docs/{docId}/acl/permissions/{permissionId}
```

### Categories
Confidence
93% confidence
Finding
DELETE /coda/apis/v1/docs/{docId}/acl/permissions/{permissionId}

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal