Back to skill

Security audit

Fasten Connect

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent Fasten health-record integration guide, but users should treat its healthcare credentials and test-password examples carefully.

Before installing, confirm you only use this with authorized test or patient data, store Fasten private keys and webhook secrets in a real secrets manager, avoid copying the embedded ID.me test password into production workflows, and review the documented PHI, tenant-isolation, webhook, and live-fee implications.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Ssd 3

High
Confidence
98% confidence
Finding
The skill embeds a plaintext password (`IDme2026!!`) in operational instructions, normalizing the practice of distributing credentials through documentation. Even if labeled as a test credential, this can lead to credential reuse, accidental use outside test environments, leakage into logs or prompts, and confusion between synthetic and real patient workflows in a healthcare integration context.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
SKILL.md:212