← 返回 Skills 市场
pmctl
作者
Wenbing Li
· GitHub ↗
· v1.0.0
649
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install pmctl
功能描述
Browse and inspect Postman collections, requests, and environments from the terminal using pmctl. Use when you need to discover API endpoints, look up reques...
安全使用建议
This skill is documentation for using the pmctl CLI, not code bundled with your agent. Before using: (1) review the referenced GitHub repo and PyPI package to confirm authorship and review recent activity; (2) when adding a profile, supply a Postman API key only to accounts you trust and prefer a scoped or short‑lived key; (3) be cautious that `environments show --json` can reveal unmasked secrets — avoid piping those outputs to untrusted destinations; (4) consider using separate Postman profiles for sensitive vs. public work and rotate keys if needed.
功能分析
Type: OpenClaw Skill
Name: pmctl
Version: 1.0.0
The skill bundle is suspicious because its documentation (`SKILL.md`) explicitly highlights that the `pmctl environments show --json` command returns "unmasked secrets." While this is presented as a feature "useful for scripting" and is inherent to the tool's purpose of inspecting Postman environments, it exposes a high-risk capability. An AI agent executing these instructions could be prompted to extract and potentially misuse sensitive environment variables (e.g., API keys, tokens) without further explicit malicious instructions within the skill bundle itself, making it a significant prompt injection risk for data exfiltration.
能力评估
Purpose & Capability
Name/description match the SKILL.md: the skill documents using pmctl to browse Postman data. Minor inconsistency: registry metadata lists no required credentials, but the runtime instructions clearly require a Postman API key (PMAK-...) to add a profile. This is expected for a Postman CLI but the metadata could declare the primary credential.
Instruction Scope
Instructions stay within scope: they show how to install and use pmctl to list collections, requests, environments, resolve variables, and construct curl commands. They explicitly note that environment outputs can contain unmasked secrets — which is relevant to Postman usage but not scope creep.
Install Mechanism
No install spec is provided in the skill bundle (instruction-only). The SKILL.md tells users to run `pip install pmctl` and links a GitHub repo. Installing a third‑party PyPI package is normal here but carries the usual risk of executing remote code; the skill itself does not embed or download code.
Credentials
The skill does not declare required env vars in metadata, yet the documented workflow requires a Postman API key and profiles. Requesting a Postman API key is proportionate to the stated purpose, but users should be aware that pmctl can read and output unmasked environment secrets from Postman workspaces.
Persistence & Privilege
No elevated privileges requested. always is false, no install writes are specified by the skill, and it does not ask to modify other skills or system-wide configuration.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install pmctl - 安装完成后,直接呼叫该 Skill 的名称或使用
/pmctl触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release
元数据
常见问题
pmctl 是什么?
Browse and inspect Postman collections, requests, and environments from the terminal using pmctl. Use when you need to discover API endpoints, look up reques... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 649 次。
如何安装 pmctl?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install pmctl」即可一键安装,无需额外配置。
pmctl 是免费的吗?
是的,pmctl 完全免费(开源免费),可自由下载、安装和使用。
pmctl 支持哪些平台?
pmctl 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 pmctl?
由 Wenbing Li(@wbingli)开发并维护,当前版本 v1.0.0。
推荐 Skills