Nexhealth

Security checks across malware telemetry and agentic risk

Overview

This NexHealth skill is coherent, but it gives an agent broad authenticated access to sensitive healthcare workflows without enough built-in guardrails for patient data or write operations.

Install only if you trust Membrane and the connected NexHealth account. Use the least-privileged NexHealth connection available, verify the tenant and target records before each operation, avoid unnecessary patient data in prompts or logs, and require explicit confirmation for any create, update, send, or delete action.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

High

Confidence: 94% confidence
Finding: The skill explicitly documents direct proxy requests with state-changing methods like POST, PUT, PATCH, and DELETE against a healthcare platform without requiring confirmation, authorization checks, or warnings about modifying PHI-related records. In a NexHealth context, this can lead an agent to alter appointments, patient data, or provider/location records with real operational and privacy consequences.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal