Coda.io

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Coda API helper, but it needs review because it can change, delete, and share Coda content and some helper commands build JSON unsafely from command arguments.

Install only if you are comfortable giving the agent Coda access through your API token. Use the least-privileged token available, keep it out of files/logs/chat, and manually confirm doc IDs, recipient emails, access levels, deletes, and automation triggers before running them. Avoid passing untrusted or quote-containing text to helper commands that build JSON, or use stdin JSON/curl with properly encoded bodies instead.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The description advertises write, update, delete, sharing, permissions, publishing, and automation features without warning that these actions can modify or expose user data. In an agent setting, this can normalize sensitive or destructive operations and lead to unintended data loss or disclosure if the assistant acts on ambiguous prompts.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The setup instructions tell users to export and use a bearer API token but provide no credential-handling warning. This encourages unsafe token use patterns, and a broadly scoped token could grant extensive read/write/share access to Coda docs if exposed through logs, shell history, screenshots, or misconfigured environments.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal