pmctl
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is a coherent Postman inspection helper, but it requires a Postman API key and can display unmasked environment secrets.
This skill appears purpose-aligned for browsing Postman data from the terminal. Before using it, be aware that the configured Postman API key may expose all workspaces and environments the key can access, and some commands can print unmasked secrets. Install pmctl only from a trusted source and avoid sending secret output into logs or conversations.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any agent using the configured profile may be able to inspect Postman workspaces, collections, requests, and environments accessible to that API key.
The skill requires a Postman API key and configures a local profile. This is expected for Postman access, but it grants account-level API visibility according to the key's permissions.
pmctl profile add <name> --api-key "PMAK-..." --default
Use a least-privileged Postman API key if available, avoid sharing the configured profile, and remove the profile when it is no longer needed.
Secrets stored in Postman environments could be printed into the terminal or copied into later prompts, logs, scripts, or command history.
The documented environment commands can output full, unmasked Postman environment values, which may include credentials, tokens, or production endpoints.
environments show --json returns **unmasked** secrets — useful for scripting
Only run full environment display commands when necessary, avoid pasting secret output into chats or logs, and prefer querying only the specific non-secret variable needed.
Installing the package runs code outside the reviewed skill artifact, so package provenance and version changes matter.
The skill relies on an external package installed from PyPI, and the reviewed artifacts do not include that package's code or a pinned version.
Requires pmctl to be installed (`pip install pmctl`).
Install from a trusted environment, verify the package/source repository, and consider pinning a known-good pmctl version.