pp-postman-explore

SUSPICIOUS. The core purpose is coherent with the capabilities, and the no-auth scope is proportionate, but the skill materially extends trust to external CLIs/MCP executables and includes optional arbitrary webhook delivery. That is more risk than a simple Postman directory helper needs, so this looks like a plausible but moderately risky agent skill rather than confirmed malicious behavior.