research-lookup
Fail
Audited by Gen Agent Trust Hub on Jun 13, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill instructions in
SKILL.mdexplicitly direct the agent to download and execute a shell script from a remote URL (https://parallel.ai/install.sh | bash) if theparallel-clitool is missing. This pattern is a classic remote code execution (RCE) vector. - [EXTERNAL_DOWNLOADS]: The skill uses
curlto fetch an installation script fromparallel.ai, which is not a verified or well-known trusted vendor. Automated execution of external scripts poses a supply-chain risk. - [COMMAND_EXECUTION]: The skill utilizes the
Bashtool to perform network operations, install software, and execute system commands. While some usage is functional, the automated fallback tocurl | bashduring error handling is inherently dangerous. - [CREDENTIALS_UNSAFE]: The
README.mdandSKILL.mdfiles provide instructions for setting upPARALLEL_API_KEYandOPENROUTER_API_KEY. While it correctly suggests using environment variables, the automated setup process and lack of verification for the installation source increase the risk of credential exposure to the downloaded scripts.
Recommendations
- HIGH: Downloads and executes remote code from: https://parallel.ai/install.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata