parallel-search
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADS
Full Analysis
- External Downloads (MEDIUM): The
package.jsonfile includes dependenciesparallel-webanduba-eslint-configmarked aslatest. These packages are not from trusted organizations and lack version pinning, which increases the risk of supply chain attacks or unintended code execution if the registry entries are compromised.\n- Indirect Prompt Injection (LOW): The skill fetches and processes large excerpts from the public web (up to 30,000 characters). This introduces a surface for indirect prompt injection if the crawled content contains malicious instructions for the agent.\n - Ingestion points: Web excerpts are retrieved via the
parallel-webclient inscripts/parallel-client.ts.\n - Boundary markers: Results are delimited using Markdown headers and horizontal rules (
---) inscripts/formatter.ts.\n - Capability inventory: The skill can execute Bash commands (to run its own scripts) and write files to the
docs/research/parallel/directory.\n - Sanitization:
scripts/formatter.tsincludessanitizeForFilenamefor file path safety, but external web content is not sanitized for prompt-injection markers.\n- Data Exposure (SAFE): The skill utilizes thePARALLEL_API_KEYenvironment variable. There are no hardcoded credentials or attempts to access sensitive system files.
Audit Metadata