Newman
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its Newman API-testing purpose, but one helper script can execute unintended shell commands from crafted inputs and another may print detected secrets into logs.
Use this skill only for trusted collections and environments. Until the eval issue is fixed, avoid scripts/run-tests.sh with untrusted filenames or user-supplied options; prefer calling newman directly. Run the security audit only in private terminals or CI jobs with protected logs, and use environment variables or vault-backed CI secrets rather than hardcoded credentials.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the wrapper on untrusted paths or arguments could let a malicious project run local commands with the user's permissions.
The script accepts paths and options from the caller, builds a command string, and evaluates it with the shell. A crafted existing filename or option containing shell metacharacters could execute commands outside Newman.
COLLECTION="$1" ENVIRONMENT="$2" ... NEWMAN_CMD="newman run \"$COLLECTION\" -e \"$ENVIRONMENT\"" ... eval $NEWMAN_CMD
Remove eval and build the Newman invocation as a shell argument array; validate numeric fields and reporter names before running.
API keys, tokens, or passwords found in a collection could be exposed to shared terminals, CI logs, or saved audit output.
When the scanner detects likely secrets, it prints the matching lines, which may include the secret values themselves.
print_error "Hardcoded secrets detected in collection!"
echo " Found in lines:"
grep -niE '"(apikey|api_key|token|password|secret)"[[:space:]]*:[[:space:]]*"[a-zA-Z0-9_-]{8,}"' "$COLLECTION" | head -5Redact matched values and print only file names, line numbers, and variable keys; avoid running the audit in public/shared logs until redaction is added.
The installed packages may change over time, and global installs can affect other projects or require elevated permissions.
The installer performs a global, unpinned npm install. This is normal for a Newman helper, but it depends on the current npm package contents and modifies the user's environment.
npm install -g newman newman-reporter-htmlextra
Pin package versions where possible, prefer project-local installs for CI/reproducibility, and install only from trusted npm sources.
A collection run can create, update, delete, or load-test real API resources if pointed at production credentials or URLs.
The skill documents load-style and production-oriented API test runs. This is purpose-aligned, but it can generate real traffic to user-selected API endpoints.
newman run collection.json \ -n 100 \ --delay-request 100
Run against staging by default, confirm the target environment before production tests, and use safe iteration counts and timeouts.