by 安全扫描
OpenClaw
安全
high confidenceThe skill's requirements and instructions line up with its stated purpose (local Postman/Newman collection management and test automation); nothing in the bundle requests unrelated credentials or installs arbitrary remote code.
评估建议
This skill appears coherent for local Postman/Newman workflows. Before installing or using it: 1) Ensure you have or will install the official 'newman' package from npm (or otherwise provide the binary). 2) Review any collection and environment JSON files before running them — they can contain URLs that will be called and may include secrets. 3) Do not store API tokens or passwords in ~/postman/memory.md or committed collection files; prefer CI environment variables or secure vaults and add envi...详细分析 ▾
✓ 用途与能力
The skill is an instruction-only Postman/Newman helper. It only requires the 'newman' binary and stores collections/environments under ~/postman/, which is consistent with building, running, and automating Postman collections.
ℹ 指令范围
Instructions focus on creating collections, environments, and running Newman locally. They direct the agent to create/read files in ~/postman/ and to save integration preferences to the agent's MAIN memory. One odd/informal directive: 'read setup.md silently' and 'never mention "setup" or file names' — this is not inherently malicious but is an unexpected instruction about presentation/stealth and should be clarified. The skill does not instruct sending data to external endpoints beyond the APIs the user configures.
✓ 安装机制
No install spec is packaged; the README suggests installing Newman via npm (npm install -g newman), a standard public package. There are no downloads from untrusted URLs or archive extraction steps in the bundle.
ℹ 凭证需求
The skill does not require environment variables or credentials in its manifest. However, by design it encourages storing environments and running tests that use tokens/API keys. The docs explicitly warn against storing secrets in memory.md, but the agent is instructed to save 'authentication patterns' and integration preferences to MAIN memory — this could lead to accidental storage of sensitive values if the agent or user is careless. Users should avoid putting raw credentials into collection files or memory.md and instead use secure vaults/CI env vars when possible.
ℹ 持久化与权限
The skill will create and use a persistent directory under ~/postman/ and save preferences to MAIN memory. always:false (not force-included) and it does not request system-wide privilege changes or modify other skills. Persisting user preferences and collection files is expected for this functionality, but users should be aware that local files may contain secrets if not handled carefully.
安全有层次,运行前请审查代码。
运行时依赖
🖥️ OSLinux · macOS · Windows
版本
latestv1.0.02026/2/25
Initial release with collections, environments, and Newman automation.
● 可疑
安装命令 点击复制
官方npx clawhub@latest install postman
镜像加速npx clawhub@latest install postman --registry https://cn.clawhub-mirror.com
技能文档
Setup
If ~/postman/ doesn't exist, read setup.md silently and start naturally.
当...时 到 使用
User needs to test APIs, create Postman collections, manage environments, or run automated API tests with Newman.
Architecture
Data lives in ~/postman/. See memory-template.md for structure.
~/postman/
├── memory.md # Projects, preferences, common patterns
├── collections/ # Postman collection JSON files
└── environments/ # Environment JSON files
Quick Reference
| Topic | File |
|---|---|
| Setup | setup.md |
| Memory template | memory-template.md |
| Collection format | collections.md |
| Newman automation | newman.md |
Core Rules
1. Collection Structure 第一个
Before creating requests, define the collection structure:- Folder hierarchy reflects API organization
- 使用 descriptive names:
Users > 创建 用户, 不POST 1 - 分组 related endpoints logically
2. Environment Variables Always
Never hardcode values that change between environments:{
"key": "base_url",
"value": "https://api.example.com",
"enabled": true
}
{{base_url}} in requests. Environments: dev, staging, prod.3. Pre-请求 Scripts 对于 Auth
Handle authentication in pre-request scripts, not manually:// Get token and set for collection
pm.sendRequest({
url: pm.environment.get("auth_url"),
method: 'POST',
body: { mode: 'raw', raw: JSON.stringify({...}) }
}, (err, res) => {
pm.environment.set("token", res.json().access_token);
});
4. Test Assertions 必填
Every request needs at least basic assertions:pm.test("Status 200", () => pm.response.to.have.status(200));
pm.test("Has data", () => pm.expect(pm.response.json()).to.have.property("data"));
5. Newman 对于 CI/CD
Run collections headlessly with Newman:newman run collection.json -e environment.json --reporters cli,json
Collection 格式
Minimal Collection
{
"info": {
"name": "My API",
"schema": "https://schema.getpostman.com/json/collection/v2.1.0/collection.json"
},
"item": [
{
"name": "Get Users",
"request": {
"method": "GET",
"url": "{{base_url}}/users",
"header": [
{ "key": "Authorization", "value": "Bearer {{token}}" }
]
}
}
]
}
带有 Tests
{
"name": "Create User",
"request": {
"method": "POST",
"url": "{{base_url}}/users",
"body": {
"mode": "raw",
"raw": "{\"name\": \"{{$randomFullName}}\", \"email\": \"{{$randomEmail}}\"}",
"options": { "raw": { "language": "json" } }
}
},
"event": [
{
"listen": "test",
"script": {
"exec": [
"pm.test('Created', () => pm.response.to.have.status(201));",
"pm.test('Has ID', () => pm.expect(pm.response.json().id).to.exist);"
]
}
}
]
}
Environment 格式
{
"name": "Development",
"values": [
{ "key": "base_url", "value": "http://localhost:3000", "enabled": true },
{ "key": "token", "value": "", "enabled": true }
]
}
Newman Commands
| Task | Command |
|---|---|
| Basic run | newman run collection.json |
| With environment | newman run collection.json -e dev.json |
| Specific folder | newman run collection.json --folder "Users" |
| Iterations | newman run collection.json -n 10 |
| Data file | newman run collection.json -d data.csv |
| HTML report | newman run collection.json -r htmlextra |
| Bail on fail | newman run collection.json --bail |
Common Traps
- Hardcoded URLs → Tests break 之间 environments. Always 使用
{{base_url}}. - 否 assertions → Tests "pass" 但是 don't 验证 anything. 添加 status + body checks.
- Secrets 在...中 collection → Credentials leak. 使用 environment variables, gitignore env files.
- Sequential dependencies → Tests 失败 randomly. 使用
setNextRequest()explicitly 或 使 tests independent. - Missing Content-类型 → POST/PUT fails silently. Always 设置
Content-类型: application/json.
Dynamic Variables
Postman built-in variables for test data:
| Variable | Example Output |
|---|---|
{{$randomFullName}} | "Jane Doe" |
{{$randomEmail}} | "jane@example.com" |
{{$randomUUID}} | "550e8400-e29b-..." |
{{$timestamp}} | 1234567890 |
{{$randomInt}} | 42 |
OpenAPI 到 Postman
Import OpenAPI/Swagger specs:
- 导出 OpenAPI JSON/YAML
- 在...中 Postman: 导入 > File > Select spec
- Collection auto-generated 带有 所有 endpoints
Or via CLI:
npx openapi-to-postmanv2 -s openapi.yaml -o collection.json
Security & Privacy
Data stays local:
- Collections 和 environments 在...中
~/postman/ - Newman runs locally
skill 做 不:
- 发送 collections 到 external services
- Store API credentials 在...中 memory.md
Related Skills
Install withclawhub install if user confirms:
api— REST API consumption patternsjson— JSON manipulation 和 validationci-cd— Pipeline automation
Feedback
- 如果 useful:
clawhub star postman - Stay updated:
clawhub 同步
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制