parallel-deep-research

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.90). This is a direct link to an executable shell installer (install.sh) on an external domain — even if parallel.ai is a legitimate vendor, downloading-and-running remote .sh files is a common malware vector and should be treated as high risk unless you can verify the script contents, provenance, and signatures.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). This skill's required workflow (SKILL.md Step 1) runs "parallel-cli research" which explicitly fetches/aggregates public web content ("cached web data" and re-fetch fresher data) and returns reports the agent is expected to read/use, so untrusted third‑party pages could indirectly inject instructions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill's setup step tells users to run curl -fsSL https://parallel.ai/install.sh | bash, which fetches and immediately executes remote code at runtime to install the required parallel-cli dependency, so external content can directly control execution.