mcp-postman
Pass
Audited by Gen Agent Trust Hub on Feb 21, 2026
Risk Level: SAFENO_CODE
Full Analysis
- [No Code] (SAFE): The provided skill file (SKILL.md) contains only YAML metadata and a brief markdown description. There are no scripts, binaries, or automated command-line instructions included.
- [Indirect Prompt Injection] (LOW): The skill is intended to process external Postman collections as a 'source of truth'. This creates an inherent surface for indirect prompt injection if the collections contain instructions designed to influence the agent.
- Ingestion points: External Postman collections and environments referenced in the description.
- Boundary markers: Absent; no specific instructions are provided to the agent to treat collection data as untrusted.
- Capability inventory: The skill description implies capabilities to inspect, maintain, and generate API requests/tests.
- Sanitization: Absent; no sanitization or validation logic is defined within the skill file.
Audit Metadata