parallel-data-enrichment

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.90). Direct link to an install.sh on a third‑party domain and the explicit curl | bash installation instruction make this a high‑risk download source because it would execute remote code with no verification and the domain is not a widely recognized, trusted package host.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly says the tool "Adds web-sourced fields (CEO names, funding, contact info)" via the parallel-cli enrich flow, which fetches/ingests open web content and returns output CSV rows that the agent is expected to read/interpret (preview), so untrusted third-party content can influence subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's setup includes a runtime installation command that downloads and pipes a remote script to bash (curl -fsSL https://parallel.ai/install.sh | bash), which would execute remote code to install the required parallel-cli dependency.