parallel-deep-research

The skill correctly documents how to run deep research jobs with parallel-cli, but it follows high-risk supply-chain patterns: it recommends curl | bash install of a remote script without integrity verification, requests environment-stored API keys, and delegates capabilities to a third-party CLI. Those patterns meaningfully increase the chance of compromise if the upstream installer or service is malicious or becomes compromised. There is no direct evidence in this YAML of embedded malware or backdoors, but the instructions create a transitive trust and execution risk that should be mitigated. Recommendations: avoid running curl|bash without auditing the script and verifying signatures/checksums; prefer installing from verified package distributions or pinned releases; use short-lived, least-privilege credentials and isolate installation (container/VM) until the binary is audited; restrict tool permissions rather than using wildcards.