Postman
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is a coherent Postman/Newman helper skill, with expected caveats around API credentials, local memory, npm-installed tooling, and running requests that may change API data.
Safe to install for normal Postman/Newman workflows. Before using it, make sure Newman/npm tooling comes from trusted sources, keep tokens out of saved memory and git, and confirm before running collections against production or destructive endpoints.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A collection run could create, update, delete, or upload data through the user's APIs if the collection and environment are configured that way.
Newman runs can send the collection's API requests, including requests that create or modify data. This is expected for an API testing skill, but it can have real effects if pointed at production systems.
Run collections headlessly with Newman: `newman run collection.json -e environment.json --reporters cli,json` ... request example uses `"method": "POST", "url": "{{base_url}}/users"`.Review collections before running them, prefer dev/staging environments, and require explicit confirmation before running destructive or production-targeted tests.
If high-privilege or production tokens are used, Newman/Postman requests can act with those privileges.
The skill expects API tokens and auth flows to be used in Postman environments and pre-request scripts. This is purpose-aligned, but those tokens may grant access to real services.
`Authorization`, `Bearer {{token}}` ... `pm.environment.set("token", res.json().access_token);`Use least-privilege test tokens, keep environment files out of version control, and avoid storing actual credentials in memory.md.
Local memory could contain information about internal APIs, environment names, and authentication approaches.
The skill persists project and authentication-pattern context locally. The artifacts say not to store API credentials, but the stored context may still reveal sensitive project details.
Save integration preferences to their MAIN memory. ... In `~/postman/memory.md`: API projects they work with; Preferred collection structure; Authentication patterns; Environment naming conventions
Review ~/postman/memory.md periodically and keep actual secrets, tokens, passwords, and private endpoint details out of saved memory unless necessary.
Installing npm packages globally can affect the local development environment and depends on the integrity of those packages.
The skill depends on npm-installed CLI tools. This is expected for Newman automation, but global, unpinned npm installs inherit normal package supply-chain risk.
`npm install -g newman` ... `npm install -g newman-reporter-htmlextra`
Install from trusted package sources, consider pinning versions in project tooling or CI, and avoid running optional converters/reporters unless needed.
The agent may create or use local Postman memory files without explicitly calling out the setup step in conversation.
The setup instructions tell the agent not to mention the setup file names. This appears aimed at smoother onboarding, but users may not realize local setup/memory files are being used.
Read this silently when `~/postman/` doesn't exist. Start naturally — never mention "setup" or file names.
If transparency matters, ask the agent what it saved under ~/postman/ and request confirmation before creating or changing persistent files.