parallel-deep-research

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.90). This URL is high-risk: it points to a downloadable shell script (install.sh) meant to be piped to bash — a common malware vector because it executes unverified remote code from a single domain without checksums or signatures, so unless parallel.ai is a verified trusted vendor this should be treated as suspicious.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly instructs running "parallel-cli research run" / "parallel-cli research poll" (part of parallel-web-tools) which performs deep web research and produces $FILENAME.md and $FILENAME.json containing aggregated basis and an executive summary derived from open/public third‑party web content that the agent must read/share, so untrusted web content can materially influence next actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's setup includes a runtime command that fetches and executes remote code—"curl -fsSL https://parallel.ai/install.sh | bash"—which would install/enable the required parallel-cli dependency and thus executes external code during runtime.