Coda.io
v1.2.0Interact with Coda.io docs, tables, rows, pages, and automations via the Coda REST API v1. Use when the user wants to read, write, update, or delete data in...
⭐ 0· 760·0 current·0 all-time
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name, description, SKILL.md, API reference, and the included script all align with a Coda REST API helper. The operations the skill performs (list/read/write/share/automations) match the stated purpose. However, the registry metadata lists no required environment variables or primary credential while SKILL.md and scripts explicitly require CODA_API_TOKEN — a packaging/metadata inconsistency.
Instruction Scope
Runtime instructions and the helper script limit actions to calling Coda's documented REST endpoints using the CODA_API_TOKEN. The skill does not instruct reading unrelated files, other env vars, or contacting unexpected external endpoints. All documented commands are scoped to Coda API interactions.
Install Mechanism
There is no install spec (instruction-only) and a small helper script is included. Nothing in the manifest downloads or extracts external code from untrusted URLs, so install risk is low. The script will be executed locally when run.
Credentials
The skill requires a single API credential (CODA_API_TOKEN), which is appropriate for the declared purpose. However, the registry metadata/requirements do not declare that env var (registry says none required) while SKILL.md and scripts require it — this mismatch can mislead users into thinking no credentials are needed. The requested secret name is appropriate for Coda, but users should limit the token's scope and treat it as sensitive.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. It does not modify other skills or system-wide agent settings. Autonomous invocation (disable-model-invocation=false) is the default and not by itself a red flag; it is not combined with other high-risk requests here.
What to consider before installing
This skill is a coherent Coda API client, but note that the SKILL.md and included script require CODA_API_TOKEN even though the registry metadata does not declare it — that's a packaging inconsistency. Before installing: (1) only provide a Coda API token you trust and create a token with least privileges possible (dedicated account or restricted scope) so you can revoke it easily; (2) review the scripts/coda.sh content yourself (it is short and uses curl to call https://coda.io/apis/v1); (3) avoid pasting a high-privilege or personal token into untrusted agents — create a scoped token for this skill; (4) if you need stronger assurance, ask the publisher for a homepage/source repository or verify the publisher identity, since the skill's source/homepage are unknown. If you are comfortable with these points, the skill appears to do what it claims.Like a lobster shell, security has layers — review code before you run it.
latest
Coda API Skill
Interact with Coda.io via its REST API v1. Base URL: https://coda.io/apis/v1
Setup
- Get API token at https://coda.io/account → "API settings" → "Generate API token"
- Set env var:
export CODA_API_TOKEN="<token>" - Verify:
bash scripts/coda.sh whoami
Helper Script
scripts/coda.sh wraps common operations. Run bash scripts/coda.sh help for usage.
Examples:
# List docs
bash scripts/coda.sh list-docs | jq '.items[].name'
# List tables in a doc
bash scripts/coda.sh list-tables AbCDeFGH | jq '.items[] | {id, name}'
# List columns (discover IDs before writing)
bash scripts/coda.sh list-columns AbCDeFGH grid-abc | jq '.items[] | {id, name}'
# Read rows with column names
bash scripts/coda.sh list-rows AbCDeFGH grid-abc 10 true | jq '.items'
# Insert rows
echo '{"rows":[{"cells":[{"column":"c-abc","value":"Hello"}]}]}' | \
bash scripts/coda.sh insert-rows AbCDeFGH grid-abc
# Upsert rows (match on key column)
echo '{"rows":[{"cells":[{"column":"c-abc","value":"Hello"},{"column":"c-def","value":42}]}],"keyColumns":["c-abc"]}' | \
bash scripts/coda.sh upsert-rows AbCDeFGH grid-abc
# Share doc
bash scripts/coda.sh share-doc AbCDeFGH user@example.com write
Workflow: Reading Data
list-docs→ find the doc IDlist-tables <docId>→ find the table IDlist-columns <docId> <tableId>→ discover column IDs/nameslist-rows <docId> <tableId>→ read data
Workflow: Writing Data
- Discover column IDs first (step 3 above)
- Build row JSON with
cellsarray using column IDs insert-rows(new data) orupsert-rows(withkeyColumnsfor idempotent writes)- Write ops return HTTP 202 +
requestId→ poll withmutation-statusif confirmation needed
Key Concepts
- IDs over names: Use resource IDs (stable) rather than names (user-editable)
- Eventual consistency: Writes are async (HTTP 202). Poll
mutation-statusto confirm. - Pagination: List endpoints return
nextPageToken. Pass aspageTokenfor next page. - Rate limits: Read 100/6s, Write 10/6s, Doc content write 5/10s. Respect 429 with backoff.
- Fresh reads: Add header
X-Coda-Doc-Version: latestto ensure non-stale data (may 400). - valueFormat:
simple(default),simpleWithArrays,richfor structured data. - Doc ID from URL:
https://coda.io/d/Title_d<DOC_ID>→ the part after_dis the doc ID.
Direct curl (when script doesn't cover it)
curl -s -H "Authorization: Bearer $CODA_API_TOKEN" \
"https://coda.io/apis/v1/docs/{docId}/tables/{tableId}/rows?useColumnNames=true&limit=50"
For writes:
curl -s -H "Authorization: Bearer $CODA_API_TOKEN" \
-H "Content-Type: application/json" \
-X POST -d '{"rows":[...]}' \
"https://coda.io/apis/v1/docs/{docId}/tables/{tableId}/rows"
Full API Reference
See references/api-endpoints.md for complete endpoint listing with parameters, body schemas, and response details.
Searchable by section: Account, Folders, Docs, Pages, Tables, Columns, Rows, Formulas, Controls, Permissions, Publishing, Automations, Analytics, Miscellaneous.
Comments
Loading comments...