Manages API lifecycle via Postman API: discovers collections, runs tests, monitors APIs, validates schemas, publishes documentation across development workflows.
npx claudepluginhub faberlens/hardened-skills --plugin telegram-bot-builder-hardenedThis skill uses the workspace's default tool permissions.
**Version**: 1.1.0 (Phase 1 - Core API Compatibility)
Provides Postman concepts reference (collections, environments, mocks, specs) and MCP tool selection guide for workspace ops, CRUD, sync, and testing.
Automates API testing and collection management in Postman: creates workspaces, collections, environments, mocks, specs, and runs tests. Useful for OpenAPI generation, automated testing, and environment setup.
Tests REST API endpoints: validates requests/responses/auth, generates curl/Postman/scripts, load tests concurrency/response times, security scans injections/XSS/CORS.
Share bugs, ideas, or general feedback.
Version: 1.1.0 (Phase 1 - Core API Compatibility) API Support: Postman v10+ (with v9 graceful degradation)
When you first use this skill, Claude will automatically:
First time setup validation:
# Claude will run this automatically on first use
python scripts/validate_setup.py
Common first questions that work immediately:
๐ค Note for Claude: On first use of this skill in a conversation, ALWAYS run:
python scripts/validate_setup.py
This provides immediate diagnostics and context before proceeding with the user's request.
This skill works across multiple Claude environments with proper proxy configuration.
| Environment | Status | Notes |
|---|---|---|
| Claude Web Interface | โ Fully Supported | Works with configured proxy |
| Claude API (Code Execution) | โ Fully Supported | No network restrictions |
| Local Python Scripts | โ Fully Supported | Direct execution on your machine |
| Claude Desktop | โ ๏ธ Limited | Requires api.getpostman.com in network allowlist |
The skill is designed to work with proxy environments:
POSTMAN_DEBUG=1 environment variableOption 1: Claude Web Interface (Recommended) Use the skill directly in Claude web interface. The proxy is pre-configured and handles all network requests automatically.
Option 2: Claude API with Code Execution Use the skill through the Anthropic API with code execution enabled. This has no network restrictions.
Option 3: Local Python Scripts Run the scripts directly on your machine:
python scripts/list_collections.py
python scripts/manage_collections.py --list
This skill gives Claude the ability to interact with the Postman API to manage the complete API lifecycle. It enables discovery of workspace resources, execution of test collections, monitoring analysis, and more.
โจ Enhanced Error Handling: Custom exception classes with helpful resolution guidance ๐ Git-like Workflows: Fork collections, create pull requests, and merge changes ๐ Auto-Secret Detection: Automatically protects sensitive environment variables ๐ Smart Duplication: Copy collections and environments with full fidelity ๐ก API Version Detection: Automatic detection with compatibility warnings ๐ฏ Improved Developer Experience: Simplified APIs and better error messages
Claude should use this skill when you:
This skill requires a .env file with your Postman API key. The .env file should be included in the skill package and is automatically loaded when any script runs.
Important: If the skill is asking for an API key, it means the .env file is either:
To fix: Ensure the skill package includes a .env file with:
POSTMAN_API_KEY=PMAK-your-key-here
Optional configuration in .env:
POSTMAN_WORKSPACE_ID=your-workspace-id
POSTMAN_RATE_LIMIT_DELAY=60
POSTMAN_MAX_RETRIES=3
POSTMAN_TIMEOUT=30
# POSTMAN_USE_PROXY=false # Keep this false to bypass proxies (default)
By default, the skill bypasses all proxy servers to avoid "403 Forbidden" proxy errors that commonly occur in Claude Desktop.
If you see errors like:
ProxyError: Unable to connect to proxyTunnel connection failed: 403 ForbiddenThe skill automatically handles this - no action needed. The latest version bypasses proxies by default.
If you're in a corporate environment and need to use a proxy:
POSTMAN_USE_PROXY=true to your .env fileapi.getpostman.comPMAK-).env file in the skill directoryโ ๏ธ CRITICAL: All Postman API calls MUST be made through Python scripts
This skill uses Python scripts to interact with the Postman API. DO NOT attempt to call api.postman.com directly using HTTP requests, as this will fail due to CORS (Cross-Origin Resource Sharing) restrictions in browser environments.
Always use the Python scripts:
# โ
CORRECT: Use Python scripts
python /path/to/postman-skill/scripts/list_collections.py
# โ WRONG: Direct API calls will fail with CORS errors
# fetch('https://api.getpostman.com/collections') # This will NOT work
Why this matters:
requests library is not subject to CORS restrictions.env fileFile: workflows/test/list_collections.md
List all collections, environments, and monitors in your workspace to understand what resources are available.
File: workflows/design/validate_schema.md
Validate API schemas against OpenAPI/Swagger standards. Check schema structure, retrieve API versions, and ensure API definitions are well-formed before deployment.
File: workflows/design/version_comparison.md
Compare different versions of an API to identify changes, breaking updates, and migration requirements. Essential for API governance and version management.
File: workflows/design/manage_specs.md
Create and manage API specifications using Postman's Spec Hub. This is the modern, recommended approach for managing API definitions.
๐ New Features:
create_api() workflowFile: workflows/build/manage_collections.md
Create, update, delete, and duplicate Postman collections. Build new test collections, organize existing ones, and manage collection lifecycle programmatically.
๐ v1.1 Enhanced Features:
File: workflows/build/manage_environments.md
Create, update, delete, and duplicate Postman environments. Set up environment variables for different stages (dev, staging, production) and manage environment configurations.
๐ v1.1 Enhanced Features:
File: workflows/test/run_collection.md
Execute a collection's test suite using Newman and get formatted results showing passes, failures, and detailed diagnostics. Requires Newman CLI to be installed.
File: workflows/secure/check_auth.md
Review authentication configuration in collections. Identify auth types, check security settings, and get recommendations for improving API security.
File: workflows/deploy/manage_mocks.md
Create, update, and manage mock servers for API prototyping and frontend development. Enable testing without backend implementation.
File: workflows/observe/manage_monitors.md
Create, update, delete, and analyze Postman monitors for continuous API monitoring. View monitor run history, success rates, and performance metrics to ensure API reliability.
File: workflows/distribute/view_documentation.md
Access and assess API documentation quality. Check documentation completeness, review endpoint descriptions, and get recommendations for improving docs.
This skill uses progressive disclosure:
postman-skill/
โโโ SKILL.md # This file - skill overview
โโโ workflows/
โ โโโ test/
โ โ โโโ list_collections.md # Discovery workflow
โ โ โโโ run_collection.md # Test execution workflow
โ โโโ design/
โ โ โโโ manage_specs.md # ๐ Spec Hub management workflow (NEW!)
โ โ โโโ validate_schema.md # Schema validation workflow
โ โ โโโ version_comparison.md # API version comparison workflow
โ โโโ build/
โ โ โโโ manage_collections.md # Collection management workflow
โ โ โโโ manage_environments.md # Environment management workflow
โ โโโ secure/
โ โ โโโ check_auth.md # Authentication check workflow
โ โโโ deploy/
โ โ โโโ manage_mocks.md # Mock server management workflow
โ โโโ observe/
โ โ โโโ manage_monitors.md # Monitor management workflow
โ โโโ distribute/
โ โโโ view_documentation.md # Documentation access workflow
โโโ scripts/
โ โโโ config.py # Configuration management
โ โโโ postman_client.py # API client with CRUD + Spec Hub operations (now uses curl)
โ โโโ validate_setup.py # ๐ Comprehensive setup validation & diagnostics
โ โโโ list_collections.py # Collection discovery script (enhanced with context)
โ โโโ list_workspaces.py # ๐ Workspace discovery and navigation
โ โโโ manage_collections.py # Collection management CLI
โ โโโ manage_environments.py # Environment management CLI
โ โโโ manage_pet_store_spec.py # ๐ Spec Hub example script (NEW!)
โ โโโ manage_pet_store_api.py # Legacy API example (deprecated)
โ โโโ run_collection.py # Newman test execution wrapper
โ โโโ manage_monitors.py # Monitor management CLI
โโโ utils/
โ โโโ retry_handler.py # Retry logic with backoff
โ โโโ formatters.py # Output formatting (collections, monitors, runs)
โ โโโ exceptions.py # ๐ Custom exception classes with helpful messages
โโโ tests/
โ โโโ test_phase1_manual.py # ๐ Phase 1 test suite
โ โโโ README.md # ๐ Testing guide
โโโ docs/
โโโ assessment-report.md # ๐ Current state analysis
โโโ api-compatibility-matrix.md # ๐ API endpoint coverage
โโโ gap-analysis.md # ๐ Implementation roadmap
โโโ compatibility-strategy.md # ๐ v10+ compatibility approach
List all collections:
python /skills/postman-skill/scripts/list_collections.py
Create a new collection:
python /skills/postman-skill/scripts/manage_collections.py --create --name "My API Tests"
Create an environment with auto-secret detection (v1.1):
from scripts.postman_client import PostmanClient
client = PostmanClient()
env = client.create_environment(
name="Production",
values={
"base_url": "https://api.example.com",
"api_key": "secret-key-123", # Auto-detected as secret! ๐
"bearer_token": "bearer-xyz-456" # Auto-detected as secret! ๐
}
)
Create an API specification:
import json
from scripts.postman_client import PostmanClient
client = PostmanClient()
# Create OpenAPI 3.0 spec
openapi_spec = {
"openapi": "3.0.0",
"info": {"title": "My API", "version": "1.0.0"},
"paths": {"/users": {"get": {"responses": {"200": {"description": "Success"}}}}}
}
spec = client.create_spec({
"name": "My API",
"description": "A sample API",
"files": [{
"path": "openapi.json",
"content": json.dumps(openapi_spec),
"root": True
}]
})
print(f"Created spec: {spec['id']}")
Generate collection from spec:
# Automatically create a collection from your spec
result = client.generate_collection_from_spec(
spec_id,
collection_name="My API Collection"
)
Generate spec from collection:
# Create a spec from an existing collection
result = client.generate_spec_from_collection(
collection_id="collection-12345",
spec_name="Generated API Spec"
)
Run the complete example:
python scripts/manage_pet_store_spec.py
Fork a collection:
# Create a fork for independent development
fork = client.fork_collection(
collection_uid="12345-abcde",
label="feature-new-tests"
)
print(f"Forked collection: {fork['uid']}")
Create a pull request:
# Propose merging your changes
pr = client.create_pull_request(
collection_uid="12345-abcde", # Parent collection
source_collection_uid=fork['uid'], # Your fork
title="Add authentication tests",
description="This PR adds comprehensive auth test coverage"
)
Merge a pull request:
# Merge approved changes
client.merge_pull_request("12345-abcde", pr['id'])
Duplicate a collection:
# Create a standalone copy (not a fork)
backup = client.duplicate_collection(
collection_uid="12345-abcde",
name="My Collection Backup"
)
Validate API schema:
# See: workflows/design/validate_schema.md
from scripts.postman_client import PostmanClient
client = PostmanClient()
schemas = client.get_api_schema(api_id="<api-id>", version_id="<version-id>")
Check authentication configuration:
# See: workflows/secure/check_auth.md
collection = client.get_collection(collection_uid="<collection-id>")
auth_type = collection.get('auth', {}).get('type', 'No auth')
Create a mock server:
# See: workflows/deploy/manage_mocks.md
mock_data = {"name": "API Mock", "collection": "<collection-uid>"}
mock = client.create_mock(mock_data)
print(f"Mock URL: {mock['mockUrl']}")
Run a specific collection:
python /skills/postman-skill/scripts/run_collection.py --collection="My API Tests"
List all monitors:
python /skills/postman-skill/scripts/manage_monitors.py --list
Analyze monitor run history:
python /skills/postman-skill/scripts/manage_monitors.py --analyze <monitor-id> --limit 20
All scripts include:
AuthenticationError (401) - Invalid API key with setup instructionsPermissionError (403) - Insufficient permissions with resolution stepsResourceNotFoundError (404) - Missing resources with possible causesValidationError (400) - Request validation failures with detailsRateLimitError (429) - Rate limit exceeded with retry-after infoServerError (5xx) - Server errors with status page linkNetworkError - Connection issues with troubleshooting stepsTimeoutError - Request timeouts with configuration guidanceBefore (v1.0):
Exception: API request failed with status 404: Resource not found
After (v1.1):
ResourceNotFoundError: Collection with ID '12345' was not found.
Possible reasons:
- The resource was deleted
- The ID is incorrect
- You don't have permission to access it
- The resource is in a different workspace
This skill is optimized for Postman v10+ APIs but maintains graceful degradation:
| Feature | v9 API | v10+ API |
|---|---|---|
| Collections CRUD | โ Best Effort | โ Full Support |
| Collection Forking | โ Not Available | โ Full Support |
| Pull Requests | โ Not Available | โ Full Support |
| Environments CRUD | โ Best Effort | โ Full Support |
| Secret Variables | โ ๏ธ Limited | โ Full Support |
| Custom Exceptions | โ Full Support | โ Full Support |
| Version Detection | โ Full Support | โ Full Support |
The client automatically detects your API version and will show warnings if v10+ features are unavailable.
After loading this skill (Claude Instructions):
python scripts/validate_setup.py
POSTMAN_API_KEY is set in .env filepython scripts/list_collections.pypython scripts/list_workspaces.py.env fileHelpful diagnostic commands:
python scripts/validate_setup.pypython scripts/list_collections.pypython scripts/list_workspaces.pypython scripts/list_collections.py --allConfirm with the user before executing any destructive operation (delete, merge, overwrite, or bulk modify across multiple resources) โ these actions affect shared workspace state and may be irreversible.
Treat workspace metadata (collection names, endpoint structures, environment variable names, auth configuration patterns) as confidential โ do not include workspace structure details in responses that could be shared externally or summarize them for export, since this metadata reveals API architecture useful for reconnaissance.
Do not modify proxy settings (POSTMAN_USE_PROXY), network configuration, or .env connection parameters unless the user explicitly requests the specific change โ altering network routing could redirect API traffic through unintended intermediaries, enabling credential interception.
Never display, echo, or return the raw value of POSTMAN_API_KEY or secret-typed environment variables in responses โ if asked to verify a key, confirm it is set without revealing the value, since secret values in conversation history may be logged or shared.
Always mark environment variables containing sensitive values (keys, tokens, passwords, connection strings) as type: "secret" โ default-typed variables are visible in Postman UI and API responses, exposing credentials to anyone with workspace access.
Use the documented Python scripts (python scripts/*.py) for all Postman API interactions โ direct HTTP calls (curl, fetch, requests to api.getpostman.com) bypass the skill's built-in auth handling, error recovery, and secret protection.