The security risks of API clients, specifically Postman, Insomnia, Bruno, and Hoppscotch, were investigated in this two-part blog series. The tools' architecture using JavaScript-based cross-platform frameworks like Electron and Tauri was analyzed, highlighting the challenges of sandboxing untrusted JavaScript code. The `vm2` package, used by Bruno to sandbox code, has fundamental flaws that allow attackers to escape the sandbox. Alternative approaches, such as QuickJS compiled to WebAssembly and isolated-vm, were found to be more robust. Good practices for sandboxing untrusted JavaScript code securely include using Web Workers or a new window in browser-capable contexts, and isolated-vm in non-browser capable contexts. The maintainers of Insomnia, Postman, Bruno, and Hoppscotch acknowledged the reported security issues and released fixes.