ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Postman

v1.0.0

Build, test, and automate APIs with Postman collections, environments, and Newman CLI.

1· 537·4 current·4 all-time
byIván@ivangdavila
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill is an instruction-only Postman/Newman helper. It only requires the 'newman' binary and stores collections/environments under ~/postman/, which is consistent with building, running, and automating Postman collections.
Instruction Scope
Instructions focus on creating collections, environments, and running Newman locally. They direct the agent to create/read files in ~/postman/ and to save integration preferences to the agent's MAIN memory. One odd/informal directive: 'read setup.md silently' and 'never mention "setup" or file names' — this is not inherently malicious but is an unexpected instruction about presentation/stealth and should be clarified. The skill does not instruct sending data to external endpoints beyond the APIs the user configures.
Install Mechanism
No install spec is packaged; the README suggests installing Newman via npm (npm install -g newman), a standard public package. There are no downloads from untrusted URLs or archive extraction steps in the bundle.
Credentials
The skill does not require environment variables or credentials in its manifest. However, by design it encourages storing environments and running tests that use tokens/API keys. The docs explicitly warn against storing secrets in memory.md, but the agent is instructed to save 'authentication patterns' and integration preferences to MAIN memory — this could lead to accidental storage of sensitive values if the agent or user is careless. Users should avoid putting raw credentials into collection files or memory.md and instead use secure vaults/CI env vars when possible.
Persistence & Privilege
The skill will create and use a persistent directory under ~/postman/ and save preferences to MAIN memory. always:false (not force-included) and it does not request system-wide privilege changes or modify other skills. Persisting user preferences and collection files is expected for this functionality, but users should be aware that local files may contain secrets if not handled carefully.
Assessment
This skill appears coherent for local Postman/Newman workflows. Before installing or using it: 1) Ensure you have or will install the official 'newman' package from npm (or otherwise provide the binary). 2) Review any collection and environment JSON files before running them — they can contain URLs that will be called and may include secrets. 3) Do not store API tokens or passwords in ~/postman/memory.md or committed collection files; prefer CI environment variables or secure vaults and add environment files to .gitignore. 4) Note the odd phrasing in setup.md ('read setup.md silently' / 'never mention setup or file names') — ask the skill author why the agent is instructed to be silent about setup to ensure no unintended stealthy behavior. 5) If you allow the agent autonomous invocation in your environment, limit which collections it may run and avoid giving it collections that upload local files or call sensitive production endpoints without explicit confirmation.

Like a lobster shell, security has layers — review code before you run it.

latestvk97aq8y3rn89x7wmmqq4xtg7b981ty6n

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📮 Clawdis
OSLinux · macOS · Windows
Binsnewman

Comments