Athenahealth

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Athenahealth integration, but it gives an agent broad authenticated access to sensitive healthcare records without enough guardrails.

Install only if you intentionally want an agent to work with Athenahealth through Membrane. Use a least-privileged test or limited-production connection, confirm every create/update/delete request before it runs, prefer vetted Membrane actions over raw proxy calls, and make sure your organization’s healthcare privacy, audit, and access-control requirements are met.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

High

Confidence: 94% confidence
Finding: The skill documents a generic proxy mechanism that supports arbitrary HTTP methods including POST, PUT, PATCH, and DELETE against a healthcare platform, but provides no safeguards or warnings about modifying protected health information or operational data. In a healthcare context, this can enable accidental or unauthorized changes to patient, appointment, or billing records, increasing integrity, privacy, and compliance risk.

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal