parallel-web-search

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.90). The two example.com URLs are generic placeholders and not direct downloads, but https://parallel.ai/install.sh is a direct remote shell script referenced in a curl | bash install instruction—executing a remote .sh is a high-risk pattern because it runs arbitrary code with your user's privileges and is commonly used to distribute malware.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly instructs running parallel-cli search to fetch web results and extract excerpts/URLs from public websites (JSON output) and requires the agent to read and synthesize those third‑party web excerpts as cited sources, so it clearly ingests untrusted public web content that can influence actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's setup step instructs executing a remote install script at runtime via curl -fsSL https://parallel.ai/install.sh | bash, which fetches and immediately executes remote code and is required if parallel-cli is not present.