performing-api-security-testing-with-postman

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly sends requests to arbitrary target APIs (e.g., SKILL.md examples like GET {{base_url}}/users/{{other_user_id}} and the collection pre-request script that reads pm.response.json() to set auth_token/user_id) and scripts/agent.py runs Newman and parses newman-results.json, so untrusted third‑party responses are ingested and can alter environment variables and drive subsequent requests or CI actions.