parallel-deep-research

This skill is functionally consistent with its stated purpose (orchestrating deep research jobs via the parallel-cli service). Primary security concerns are supply-chain and credential risks: the documentation instructs users to install the CLI via curl | bash (download-and-execute), offers pipx as an alternative without pinned versions or signatures, and relies on an API key or login that the CLI will transmit to parallel.ai. The allowed-tool permission (shell access to parallel-cli) and the installer pattern are the highest-risk elements. There is no evidence in this skill file of deliberate malicious behavior (no obfuscation, no exfiltration endpoints other than the expected parallel.ai service), so malware probability is low. However, the unpinned installer and broad execution capability raise the overall security risk to a moderate level. Recommend replacing curl|bash with a pinned, signed installer, adding integrity verification, limiting allowed-tools scope if possible, and documenting credential scoping and retention policies.