ClawHub

Coda

v1.0.0

General-purpose Coda document manager via REST API v1. Supports listing/creating/updating/deleting docs, managing tables/rows/pages, triggering automations, and exploring doc structure. Requires CODA_API_TOKEN environment variable. Delete operations require explicit confirmation; publishing and permission changes require explicit user intent.

1· 1.5k·5 current·6 all-time
byTFM@0x7466
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description and the included script consistently implement a Coda REST API manager (docs, tables, rows, automations). The functionality requested in SKILL.md matches the code in scripts/coda_cli.py (HTTP calls to coda.io). However, the registry metadata claims no required environment variables or primary credential while SKILL.md and the script both require CODA_API_TOKEN — this mismatch is an incoherence.
Instruction Scope
SKILL.md and the CLI instructions are scoped to Coda API operations (list/create/update/delete docs/tables/rows, trigger automations, export). The instructions reference local files for batch operations (e.g., rows.json) which is expected. There are no instructions that tell the agent to read unrelated system files or call non-Coda endpoints in the visible content.
Install Mechanism
No install spec is provided (instruction-only + included Python script). That is lower risk than arbitrary downloads, but the script requires Python 3.7+ and the requests library; environments without requests fall back to urllib. Because the script is bundled but not installed atomically, the agent or user will execute code present in the package — review the included script before running.
!
Credentials
SKILL.md and scripts/coda_cli.py clearly require an environment variable CODA_API_TOKEN (token has broad access to user's accessible docs). Yet the registry metadata lists no required env vars and no primary credential. This mismatch is notable: the skill will request/use a sensitive credential not declared in the package metadata, which can lead to accidental token exposure if a user assumes no credentials are needed.
Persistence & Privilege
The skill does not request permanent presence (always:false) and does not claim to modify other skills or global agent configurations. Autonomous invocation is allowed (default) but not combined with any other elevated privilege in this package.
What to consider before installing
This package implements a plausible Coda API CLI, but the package metadata is inconsistent: SKILL.md and the included script require CODA_API_TOKEN, yet the registry metadata lists no required credentials. Before installing or running: 1) Inspect the full scripts/coda_cli.py file for any network calls to hosts other than coda.io and for any obfuscated code (the provided snippet looks normal but the file was truncated in the manifest). 2) Only provide a Coda API token with the least privilege necessary and avoid using a workspace-admin token. 3) Do not commit the token to version control; store it in a secure secret manager. 4) If you plan to run automations or batch imports, understand automations may trigger external actions and notifications. 5) Ask the publisher to correct the registry metadata to declare CODA_API_TOKEN as a required credential so the package description and registry align. If you cannot verify the code or metadata, run the tool in an isolated environment or decline to install.

Like a lobster shell, security has layers — review code before you run it.

latestvk972grt7knps844n82refhv3yd80rkdd

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments