Rocketreach
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The RocketReach skill is mostly coherent, but it gives the agent broad authenticated API-proxy power, including mutating HTTP methods, without clear user-confirmation or scope limits.
Install only if you are comfortable using Membrane as the authenticated gateway to RocketReach. Prefer built-in discovered actions, and require explicit approval before the agent sends raw proxy requests that create, update, or delete data.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent chooses the wrong endpoint or method, it could change or delete RocketReach-related data using the user’s authorized connection.
This gives the agent a broad authenticated escape-hatch to call arbitrary RocketReach API paths, including mutating or deleting requests, without visible scope, confirmation, or reversibility guidance.
When the available actions don't cover your use case, you can send requests directly to the RocketReach API through Membrane's proxy... `-X, --method` | HTTP method (GET, POST, PUT, PATCH, DELETE).
Use discovered Membrane actions when possible, and require explicit user approval before POST, PUT, PATCH, or DELETE proxy requests.
The skill can operate with the permissions of the connected Membrane/RocketReach account.
The skill requires delegated account access through Membrane and RocketReach. That is expected for this integration, but it grants the agent access through an authenticated connection.
This skill uses the Membrane CLI to interact with RocketReach. Membrane handles authentication and credentials refresh automatically
Connect only the intended account and review the permissions granted during the Membrane/RocketReach authorization flow.
Installing a changing global CLI package can affect the local environment and depends on the package source remaining trustworthy.
The skill asks for a global install of an unpinned latest CLI package. This is central to the stated Membrane integration, but it relies on the current npm package version at install time.
npm install -g @membranehq/cli@latest
Install the CLI from the official package source and consider pinning or reviewing the version before installation.
RocketReach queries and responses may pass through Membrane’s infrastructure as part of normal operation.
Membrane acts as an authenticated gateway for RocketReach API requests. This is disclosed and purpose-aligned, but it means API traffic and delegated credentials are handled through a third-party service.
you can send requests directly to the RocketReach API through Membrane's proxy... injects the correct authentication headers
Review Membrane’s security and privacy terms before connecting sensitive RocketReach data.