Athenahealth
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This Athenahealth skill is purpose-aligned, but it gives broad authenticated access to sensitive healthcare data and supports direct API calls that could modify or delete records without clear guardrails.
Only install this if you are comfortable connecting Athenahealth through Membrane. Before allowing the agent to act, confirm the connection is least-privilege, require approval for any write or delete operation, and avoid raw proxy calls unless you have reviewed the exact endpoint, method, and data being sent.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or overbroad agent action could change or delete sensitive healthcare, appointment, billing, or claims data.
The skill exposes a direct authenticated proxy to arbitrary Athenahealth API paths, including mutating and deleting methods, without artifact-stated approval, scoping, or rollback guidance.
membrane request CONNECTION_ID /path/to/endpoint ... `-X, --method` | HTTP method (GET, POST, PUT, PATCH, DELETE). Defaults to GET
Require explicit user confirmation before any POST, PUT, PATCH, or DELETE request; prefer listed Membrane actions over raw proxy calls; and restrict connections to the minimum Athenahealth permissions needed.
The agent can act through the connected Athenahealth account and may access whatever data or operations that connection permits.
The skill uses delegated Athenahealth access through Membrane, which is expected for the integration but grants account-backed authority over sensitive systems.
Membrane handles authentication and credentials refresh automatically ... The user completes authentication in the browser.
Use a least-privilege Athenahealth/Membrane connection, avoid production access unless necessary, and verify how to revoke the connection.
Sensitive healthcare data may pass through Membrane in addition to Athenahealth.
Athenahealth data, potentially including patient and clinical information, is routed through an external Membrane proxy as part of the disclosed workflow.
send requests directly to the Athenahealth API through Membrane's proxy
Confirm Membrane's privacy, compliance, and data-processing terms are appropriate for the healthcare data involved, especially for PHI.
The installed CLI version may change over time, so behavior depends on the current npm package release.
The skill asks the user to install a global npm CLI package, which is central to its purpose but is not version-pinned in the instruction.
npm install -g @membranehq/cli
Install from the official package source, consider pinning a known-good version, and review the CLI before using it with sensitive healthcare accounts.