postman-newman-automation

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The prompt contains examples and patterns that embed secrets directly into commands or URLs (e.g., ?apikey=..., --env-var "token=abc123") and shows credential interpolation into shell commands, which would require or encourage the LLM to output secret values verbatim and thus poses exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's workflow (Step 1 "Collection source | File path, URL, or Postman API UID?" and Step 2 example "newman run 'https://api.getpostman.com/collections/?apikey=...'" ) explicitly accepts and runs collections fetched from arbitrary URLs or the Postman API (user-created collections), meaning the agent will ingest and act on untrusted third-party content that can change execution behavior.