Missing User Warnings
Medium
- Confidence
- 96% confidence
- Finding
- The skill explicitly advertises that `environments show --json` returns unmasked secrets and frames this as useful for scripting, but provides no warning, masking guidance, or handling precautions. In this context, Postman environments commonly contain API keys, tokens, and base URLs, so encouraging raw secret extraction materially increases the risk of credential disclosure through terminal history, logs, screenshots, and downstream piping.
