The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The setup instructions in SKILL.md recommend installing the parallel-cli by downloading and executing a shell script from https://parallel.ai/install.sh and piping it directly to bash. This practice is dangerous as it executes remote code without integrity verification, allowing for full system compromise if the source or transmission is intercepted.
[COMMAND_EXECUTION]: Across multiple files including references/web-search.md, references/web-extract.md, and references/data-enrichment.md, the skill builds shell commands by directly interpolating user-provided variables like $ARGUMENTS and $DATA. The instructions do not include any steps to sanitize or escape these inputs, creating a high risk of command injection if the user provides malicious input.
[DATA_EXFILTRATION]: The skill's core functionality involves reading local files (such as CSVs in references/data-enrichment.md) and sending the contents to the parallel.ai service via the parallel-cli enrich command. While this is the intended behavior, users must be aware that their data is being uploaded to a third-party server.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection through its processing of untrusted external data.
Ingestion points: The skill fetches full content from arbitrary URLs (references/web-extract.md) and excerpts from search engine results (references/web-search.md).
Boundary markers: The instructions lack boundary markers or specific delimiters to separate untrusted external content from the agent's primary instructions.
Capability inventory: The agent possesses the capability to execute shell commands via parallel-cli, read local environment variables and project files, and write to the local file system (e.g., in /tmp/).
Sanitization: There is no evidence of content sanitization or validation of the data retrieved from external sources before it is processed by the agent.

parallel-web