Skills
skills/postman-devrel/postman-claude-code-plugin/send-request/Gen Agent Trust Hub

send-request

Pass

Audited by Gen Agent Trust Hub on May 13, 2026

Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: Executes the 'postman' command-line interface to perform network operations and file reads.- [DATA_EXFILTRATION]: Facilitates sending sensitive information, including Bearer tokens, API keys, and Basic Auth credentials, to external URLs. The destination URL can be provided by the user or read from local configuration files.- [REMOTE_CODE_EXECUTION]: Utilizes the '--script-pre-request' and '--script-post-request' flags which allow the Postman CLI to execute JavaScript code from local files (@pre.js, @post.js).- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection by ingesting data from untrusted '.request.yaml' files in the 'postman/collections/' directory. Evidence: 1. Ingestion points: 'postman/collections/.request.yaml' files. 2. Boundary markers: Absent. 3. Capability inventory: Network requests, local file reads, and JavaScript script execution. 4. Sanitization: Absent.
Audit Metadata
Risk Level
SAFE
Analyzed
May 13, 2026, 12:41 AM