Back to skill
Skillv1.2.0
VirusTotal security
Coda.io · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 4:08 AM
- Hash
- 379b0e4d62f2eaf6bcac4e9ec82e57a07c51f7adee3112bbc80b82eea80489d3
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: coda-io Version: 1.2.0 The skill bundle is classified as suspicious due to a JSON injection vulnerability in `scripts/coda.sh`. Several commands (e.g., `create-doc`, `create-folder`, `share-doc`, `trigger-automation`) construct JSON request bodies by directly interpolating user-provided arguments into JSON strings. If these arguments contain double quotes or backslashes, an attacker could inject arbitrary JSON, potentially altering the API request in unintended ways (e.g., changing folder IDs, adding unauthorized permissions, or manipulating automation payloads). While there is no evidence of intentional malicious behavior like data exfiltration or persistence, this lack of input sanitization for JSON construction is a significant vulnerability.
- External report
- View on VirusTotal