Newman

Automated API testing with Postman collections via Newman CLI. Use when user requests API testing, collection execution, automated testing, CI/CD integration, or mentions "Postman", "Newman", "API tests", "run collection", or "automated testing".

This skill appears to be a straightforward Newman (Postman CLI) runner with sensible helpers and a security-audit script. Before installing or running it: 1) Verify the skill source — README references a GitHub repo/maintainer but the registry 'Source' and homepage are unknown; prefer installing from a trusted repo or your own vetted copy. 2) Do not commit collections or environment files that contain secrets; the included audit script helps detect hardcoded secrets but is not foolproof. 3) Be cautious when configuring reporters that send results externally (Slack/webhooks) — those endpoints may receive sensitive request/response data. 4) The install step runs npm install -g newman (remote package execution) — if you require stricter control, audit the npm packages or install pinned versions from an approved mirror. 5) If you plan to use encryption scripts (ENCRYPTION_KEY) or CI examples, store credentials in your platform's secrets store and ensure keys/webhooks are trusted. Overall: coherent and appropriate for the stated purpose, but practice standard secret- and source-verification hygiene.

Type: OpenClaw Skill Name: newman Version: 1.0.0 The skill is classified as suspicious due to a shell injection vulnerability found in `scripts/run-tests.sh`. The script uses `eval` to execute a constructed `newman` command, and the `--reporters` option, which is directly derived from user input, is not properly sanitized or quoted, allowing an attacker to inject arbitrary shell commands. While the skill otherwise promotes good security practices for API testing and does not show evidence of intentional malicious behavior, this vulnerability allows for remote code execution if untrusted input is provided to the script.