api-testing
Warn
Audited by Gen Agent Trust Hub on Mar 8, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill contains instructions to download a Postman MCP server from a third-party GitHub repository ('github.com/shannonlal/mcp-postman'). This repository is not affiliated with the skill author ('karchtho') or any trusted vendors.- [COMMAND_EXECUTION]: The skill suggests executing shell commands to clone external repositories, install packages globally ('npm install -g newman'), and build software locally ('pnpm install && pnpm build'). It also provides instructions to modify the local Claude configuration file located at '~/.config/claude/config.json'.- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8).
- Ingestion points: The skill processes external data from API responses, Postman collection results, and Newman test reports.
- Boundary markers: No specific delimiters or safety instructions are defined to separate untrusted test data from agent instructions.
- Capability inventory: The skill has the capability to execute subprocesses via 'newman', 'npm', and 'git'.
- Sanitization: No evidence of validation or sanitization of content from external test reports or API endpoints is provided.
Audit Metadata