ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

pmctl

v1.0.0

Browse and inspect Postman collections, requests, and environments from the terminal using pmctl. Use when you need to discover API endpoints, look up reques...

0· 518·0 current·0 all-time
byWenbing Li@wbingli
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the SKILL.md: the skill documents using pmctl to browse Postman data. Minor inconsistency: registry metadata lists no required credentials, but the runtime instructions clearly require a Postman API key (PMAK-...) to add a profile. This is expected for a Postman CLI but the metadata could declare the primary credential.
Instruction Scope
Instructions stay within scope: they show how to install and use pmctl to list collections, requests, environments, resolve variables, and construct curl commands. They explicitly note that environment outputs can contain unmasked secrets — which is relevant to Postman usage but not scope creep.
Install Mechanism
No install spec is provided in the skill bundle (instruction-only). The SKILL.md tells users to run `pip install pmctl` and links a GitHub repo. Installing a third‑party PyPI package is normal here but carries the usual risk of executing remote code; the skill itself does not embed or download code.
Credentials
The skill does not declare required env vars in metadata, yet the documented workflow requires a Postman API key and profiles. Requesting a Postman API key is proportionate to the stated purpose, but users should be aware that pmctl can read and output unmasked environment secrets from Postman workspaces.
Persistence & Privilege
No elevated privileges requested. always is false, no install writes are specified by the skill, and it does not ask to modify other skills or system-wide configuration.
Assessment
This skill is documentation for using the pmctl CLI, not code bundled with your agent. Before using: (1) review the referenced GitHub repo and PyPI package to confirm authorship and review recent activity; (2) when adding a profile, supply a Postman API key only to accounts you trust and prefer a scoped or short‑lived key; (3) be cautious that `environments show --json` can reveal unmasked secrets — avoid piping those outputs to untrusted destinations; (4) consider using separate Postman profiles for sensitive vs. public work and rotate keys if needed.

Like a lobster shell, security has layers — review code before you run it.

latestvk97f9jfyx7cawnj86q5yfz43hn81g2sp

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments