Slash Command

/security

Install

Install the plugin

npx claudepluginhub anthropics/claude-plugins-official --plugin postman

Want just this command?

Add to a custom plugin, then install with one command.

Description

Security audit your APIs against OWASP API Top 10. Finds vulnerabilities and provides remediation guidance.

Allowed Tools

ReadGlobGrepmcp__postman__*

Command Content

API Security Audit

Audit your API for security issues: missing auth, exposed sensitive data, insecure transport, weak validation, and OWASP API Security Top 10 alignment. Works with local OpenAPI specs and Postman collections.

Prerequisites

For collection auditing, the Postman MCP Server must be connected. Local spec auditing works without MCP. If needed, tell the user: "Run /postman:setup to configure the Postman MCP Server."

Workflow

Step 1: Find the Source

Call getWorkspaces to get the user's workspace ID. If multiple workspaces exist, ask which to use.

Local spec:

Search for **/openapi.{json,yaml,yml}, **/swagger.{json,yaml,yml}

Postman spec (via MCP):

Call getAllSpecs with the workspace ID to find specs
Call getSpecDefinition for the full spec content

Postman collection (via MCP):

Call getCollections with the workspace parameter
Call getCollection for full detail including auth config
Call getEnvironment to check for exposed secrets

Step 2: Run Security Checks

Authentication and Authorization:

Security schemes defined (OAuth2, API Key, Bearer, etc.)
Security applied globally or per-endpoint
No endpoints accidentally unprotected
OAuth2 scopes defined and appropriate
Admin endpoints have elevated auth requirements

Transport Security:

All server URLs use HTTPS
No mixed HTTP/HTTPS

Sensitive Data Exposure:

No API keys, tokens, or passwords in example values
No secrets in query parameters (should be headers/body)
Password fields marked as format: password
PII fields identified
Postman environment variables checked for leaked secrets (via getEnvironment)

Input Validation:

All parameters have defined types
String parameters have maxLength
Numeric parameters have minimum/maximum
Array parameters have maxItems
Enum values used where applicable
Request body has required field validation

Rate Limiting:

Rate limits documented
Rate limit headers defined (X-RateLimit-Limit, X-RateLimit-Remaining)
429 Too Many Requests response defined

Error Handling:

Error responses don't leak stack traces
Error schemas don't expose internal field names
401 and 403 responses properly defined
Error messages don't reveal implementation details

OWASP API Top 10 Alignment:

API1: Broken Object Level Authorization
API2: Broken Authentication
API3: Broken Object Property Level Authorization
API4: Unrestricted Resource Consumption
API5: Broken Function Level Authorization
API6: Unrestricted Access to Sensitive Business Flows
API7: Server Side Request Forgery
API8: Security Misconfiguration
API9: Improper Inventory Management
API10: Unsafe Consumption of APIs

Step 3: Present Results

API Security Audit: pet-store-api.yaml

  CRITICAL (2):
    SEC-001: 3 endpoints have no security scheme applied
      - GET /admin/users
      - DELETE /admin/users/{id}
      - PUT /admin/config
    SEC-002: Server URL uses HTTP (http://api.example.com)

  HIGH (3):
    SEC-003: No rate limiting documentation or 429 response
    SEC-004: API key sent as query parameter (use header instead)
    SEC-005: No maxLength on 8 string inputs (injection risk)

  MEDIUM (2):
    SEC-006: Password field visible in GET /users/{id} response
    SEC-007: Environment variable 'db_password' not marked secret

  Score: 48/100 — Significant Issues

Step 4: Fix

For each finding:

Explain the security risk in plain terms
Show the exact spec change needed
Apply the fix with user approval

For Postman-specific issues:

Call putEnvironment to mark secrets properly
Call updateCollectionRequest to fix auth configuration
Call updateCollectionResponse to remove sensitive data from examples

Step 5: Re-audit

After fixes, re-run the audit to show improvement.

Error Handling

MCP not configured: Local spec auditing works without MCP. For Postman-specific checks: "Run /postman:setup to configure the Postman MCP Server."
401 Unauthorized: "Your Postman API key was rejected. Generate a new one at https://postman.postman.co/settings/me/api-keys and run /postman:setup."
No spec found: Ask the user for the path. Offer to audit a Postman collection directly via MCP.
Spec too large: For large specs (100+ endpoints), audit in batches by tag or path prefix.
Plan limitations: "Some audit features may require a paid Postman plan. Check https://www.postman.com/pricing/"

Links

Stats

Stars3

Forks0

Last CommitFeb 13, 2026

Actions

Other plugins with /security

/security

commands/

Security audit with OWASP compliance and vulnerability detection

1.9k

/security

Application security with OWASP best practices and threat modeling

sonnetTaskBashRead+1

/security

Run comprehensive security audit for Drupal/Next.js projects. Use when user says "security audit", "check vulnerabilities", "OWASP check", "is this secure", "find security issues", "Semgrep scan", "Trivy scan", "Gitleaks check". Runs 10 Drupal layers or 7 Next.js layers. For multi-perspective analysis, use /code-quality:security-debate after this.

ReadBashGrep+1

/security

pr-quality/

Use when performing local security review before pushing PR changes. Scans for vulnerabilities, secrets exposure, and security anti-patterns per OWASP Top 10.

sonnetBash(git:*)ReadGrep+3

/security

Quick security scan.