Liferay
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This looks like a real Liferay integration, but it gives the agent broad authenticated API access that could change or delete Liferay content, users, roles, or other business data without clearly defined approval limits.
Install only if you trust Membrane and need Liferay automation. Use a least-privileged Liferay account, review the CLI package source, and require explicit approval before any write, delete, user/role, workflow, or public-content operation.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or overbroad agent action could change or remove Liferay records, documents, pages, workflow items, users, roles, or other account data.
The skill exposes a raw authenticated API escape hatch with write and delete methods. For an enterprise Liferay account, incorrect or overly autonomous use could modify or delete business content or administrative objects, and the instructions do not define approval or endpoint limits.
When the available actions don't cover your use case, you can send requests directly to the Liferay API through Membrane's proxy... HTTP method (GET, POST, PUT, PATCH, DELETE).
Require explicit user confirmation before any POST, PUT, PATCH, DELETE, user/role, workflow, or public-content action; use least-privileged Liferay credentials; prefer scoped Membrane actions over raw proxy calls.
The agent may be able to perform any Liferay action allowed by the connected account.
The skill uses Membrane-managed authentication and credential refresh, which is expected for this integration but means actions run with the permissions of the connected Membrane/Liferay account.
Membrane handles authentication and credentials refresh automatically — so you can focus on the integration logic rather than auth plumbing.
Connect a dedicated least-privileged Liferay account or connection, review granted scopes/roles, and revoke the Membrane connection when it is no longer needed.
Installing the CLI runs third-party code on the local machine and future latest versions may differ from the reviewed instructions.
The skill asks the user to install a latest-version global npm CLI. This is central to the stated Membrane integration, but it depends on npm package provenance and future package changes.
npm install -g @membranehq/cli@latest
Install only from the trusted npm package, consider pinning a reviewed CLI version where possible, and avoid running the command in highly privileged environments.
Request paths, parameters, bodies, and responses may be processed through Membrane while interacting with Liferay.
Liferay API requests and authentication handling pass through Membrane as an intermediary gateway. This is disclosed and purpose-aligned, but users should understand the data boundary.
send requests directly to the Liferay API through Membrane's proxy. Membrane automatically appends the base URL... and injects the correct authentication headers
Avoid sending unnecessary sensitive data through proxy calls, review Membrane's data handling policies, and keep requests narrowly scoped to the user's task.