parallel-findall

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.70). The URL is a direct link to a shell install script (install.sh) on a third‑party domain—running or piping such remote scripts is a high‑risk vector even if the domain appears legitimate, so verify the site, inspect the script contents, and prefer trusted package managers or signed releases.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill runs parallel-cli findall which ingests and returns entities sourced from public third-party websites (source URLs are cited in the FindAll JSON and SKILL.md explicitly references LinkedIn, YCombinator, Crunchbase, news/blog posts and instructs to "spot-check the kept entries against the source URL" in the Response format), so the agent is expected to read/interpret untrusted web content that can change filtering and follow-up actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill's setup instructs running a remote installation script via "curl -fsSL https://parallel.ai/install.sh | bash", which fetches and executes remote code at runtime and is required to obtain the parallel-cli dependency.