← Back to Skills Marketplace
804
Downloads
0
Stars
0
Active Installs
3
Versions
Install in OpenClaw
/install coda-io
Description
Interact with Coda.io docs, tables, rows, pages, and automations via the Coda REST API v1. Use when the user wants to read, write, update, or delete data in...
README (SKILL.md)
Coda API Skill
Interact with Coda.io via its REST API v1. Base URL: https://coda.io/apis/v1
Setup
- Get API token at https://coda.io/account → "API settings" → "Generate API token"
- Set env var:
export CODA_API_TOKEN="\x3Ctoken>" - Verify:
bash scripts/coda.sh whoami
Helper Script
scripts/coda.sh wraps common operations. Run bash scripts/coda.sh help for usage.
Examples:
# List docs
bash scripts/coda.sh list-docs | jq '.items[].name'
# List tables in a doc
bash scripts/coda.sh list-tables AbCDeFGH | jq '.items[] | {id, name}'
# List columns (discover IDs before writing)
bash scripts/coda.sh list-columns AbCDeFGH grid-abc | jq '.items[] | {id, name}'
# Read rows with column names
bash scripts/coda.sh list-rows AbCDeFGH grid-abc 10 true | jq '.items'
# Insert rows
echo '{"rows":[{"cells":[{"column":"c-abc","value":"Hello"}]}]}' | \
bash scripts/coda.sh insert-rows AbCDeFGH grid-abc
# Upsert rows (match on key column)
echo '{"rows":[{"cells":[{"column":"c-abc","value":"Hello"},{"column":"c-def","value":42}]}],"keyColumns":["c-abc"]}' | \
bash scripts/coda.sh upsert-rows AbCDeFGH grid-abc
# Share doc
bash scripts/coda.sh share-doc AbCDeFGH [email protected] write
Workflow: Reading Data
list-docs→ find the doc IDlist-tables \x3CdocId>→ find the table IDlist-columns \x3CdocId> \x3CtableId>→ discover column IDs/nameslist-rows \x3CdocId> \x3CtableId>→ read data
Workflow: Writing Data
- Discover column IDs first (step 3 above)
- Build row JSON with
cellsarray using column IDs insert-rows(new data) orupsert-rows(withkeyColumnsfor idempotent writes)- Write ops return HTTP 202 +
requestId→ poll withmutation-statusif confirmation needed
Key Concepts
- IDs over names: Use resource IDs (stable) rather than names (user-editable)
- Eventual consistency: Writes are async (HTTP 202). Poll
mutation-statusto confirm. - Pagination: List endpoints return
nextPageToken. Pass aspageTokenfor next page. - Rate limits: Read 100/6s, Write 10/6s, Doc content write 5/10s. Respect 429 with backoff.
- Fresh reads: Add header
X-Coda-Doc-Version: latestto ensure non-stale data (may 400). - valueFormat:
simple(default),simpleWithArrays,richfor structured data. - Doc ID from URL:
https://coda.io/d/Title_d\x3CDOC_ID>→ the part after_dis the doc ID.
Direct curl (when script doesn't cover it)
curl -s -H "Authorization: Bearer $CODA_API_TOKEN" \
"https://coda.io/apis/v1/docs/{docId}/tables/{tableId}/rows?useColumnNames=true&limit=50"
For writes:
curl -s -H "Authorization: Bearer $CODA_API_TOKEN" \
-H "Content-Type: application/json" \
-X POST -d '{"rows":[...]}' \
"https://coda.io/apis/v1/docs/{docId}/tables/{tableId}/rows"
Full API Reference
See references/api-endpoints.md for complete endpoint listing with parameters, body schemas, and response details.
Searchable by section: Account, Folders, Docs, Pages, Tables, Columns, Rows, Formulas, Controls, Permissions, Publishing, Automations, Analytics, Miscellaneous.
Usage Guidance
This skill is a coherent Coda API client, but note that the SKILL.md and included script require CODA_API_TOKEN even though the registry metadata does not declare it — that's a packaging inconsistency. Before installing: (1) only provide a Coda API token you trust and create a token with least privileges possible (dedicated account or restricted scope) so you can revoke it easily; (2) review the scripts/coda.sh content yourself (it is short and uses curl to call https://coda.io/apis/v1); (3) avoid pasting a high-privilege or personal token into untrusted agents — create a scoped token for this skill; (4) if you need stronger assurance, ask the publisher for a homepage/source repository or verify the publisher identity, since the skill's source/homepage are unknown. If you are comfortable with these points, the skill appears to do what it claims.
Capability Analysis
Type: OpenClaw Skill
Name: coda-io
Version: 1.2.0
The skill bundle is classified as suspicious due to a JSON injection vulnerability in `scripts/coda.sh`. Several commands (e.g., `create-doc`, `create-folder`, `share-doc`, `trigger-automation`) construct JSON request bodies by directly interpolating user-provided arguments into JSON strings. If these arguments contain double quotes or backslashes, an attacker could inject arbitrary JSON, potentially altering the API request in unintended ways (e.g., changing folder IDs, adding unauthorized permissions, or manipulating automation payloads). While there is no evidence of intentional malicious behavior like data exfiltration or persistence, this lack of input sanitization for JSON construction is a significant vulnerability.
Capability Assessment
Purpose & Capability
Name, description, SKILL.md, API reference, and the included script all align with a Coda REST API helper. The operations the skill performs (list/read/write/share/automations) match the stated purpose. However, the registry metadata lists no required environment variables or primary credential while SKILL.md and scripts explicitly require CODA_API_TOKEN — a packaging/metadata inconsistency.
Instruction Scope
Runtime instructions and the helper script limit actions to calling Coda's documented REST endpoints using the CODA_API_TOKEN. The skill does not instruct reading unrelated files, other env vars, or contacting unexpected external endpoints. All documented commands are scoped to Coda API interactions.
Install Mechanism
There is no install spec (instruction-only) and a small helper script is included. Nothing in the manifest downloads or extracts external code from untrusted URLs, so install risk is low. The script will be executed locally when run.
Credentials
The skill requires a single API credential (CODA_API_TOKEN), which is appropriate for the declared purpose. However, the registry metadata/requirements do not declare that env var (registry says none required) while SKILL.md and scripts require it — this mismatch can mislead users into thinking no credentials are needed. The requested secret name is appropriate for Coda, but users should limit the token's scope and treat it as sensitive.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. It does not modify other skills or system-wide agent settings. Autonomous invocation (disable-model-invocation=false) is the default and not by itself a red flag; it is not combined with other high-risk requests here.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install coda-io - After installation, invoke the skill by name or use
/coda-io - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.2.0
Fix: Move env declaration to metadata field for proper validation
v1.1.0
Fix: Declare required CODA_API_TOKEN env var in frontmatter metadata
v1.0.0
Initial release: Full Coda.io API v1 skill with helper script and endpoint reference
Metadata
Frequently Asked Questions
What is Coda.io?
Interact with Coda.io docs, tables, rows, pages, and automations via the Coda REST API v1. Use when the user wants to read, write, update, or delete data in... It is an AI Agent Skill for Claude Code / OpenClaw, with 804 downloads so far.
How do I install Coda.io?
Run "/install coda-io" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Coda.io free?
Yes, Coda.io is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Coda.io support?
Coda.io is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Coda.io?
It is built and maintained by simonfunk (@simonfunk); the current version is v1.2.0.
More Skills