ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Parallel Enrichment

v1.0.0

Bulk data enrichment via Parallel API. Adds web-sourced fields (CEO names, funding, contact info) to lists of companies, people, or products. Use for enriching CSV files or inline data.

0· 1.6k·2 current·2 all-time
by@normallygaussian
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's stated purpose is to call the Parallel API via a CLI (parallel-cli) to enrich data. However, the registry metadata declares no required binaries and no credentials. A data-enrichment tool that talks to an external API normally requires: (a) the parallel-cli binary (or an install step) and (b) an API key or login. The absence of those declarations is inconsistent with the claimed purpose.
Instruction Scope
SKILL.md instructs the agent to read input CSVs, write output CSVs, preview rows (e.g., head -6), and to spawn sessions_spawn sub-agents to read and summarize output files. Those actions are within the expected scope for enrichment, but the guidance gives the agent the ability to read arbitrary file paths if misused—so confirm the agent's file-access boundaries and that spawned sessions only read expected files.
Install Mechanism
There is no install spec (instruction-only), which reduces direct install risk. However, the instructions assume the presence of 'parallel-cli' on PATH without declaring it as a required binary or providing install steps; this is an omission that affects reproducibility and security review.
!
Credentials
No environment variables or primary credential are declared. In practice, communicating with Parallel.ai typically requires authentication (API key or CLI login). The SKILL.md does not document how auth is provided (env var, config file, or interactive login), so required secrets could be hidden in platform config or left undocumented—this mismatch is important to resolve before use.
Persistence & Privilege
The skill does not request persistent installation, does not set always:true, and has no install-time hooks. Autonomous invocation is allowed (platform default). The main persistence concern is that instructions encourage writing files (target CSVs) and spawning sessions to read them—normal for the task but verify where outputs and any cached credentials are stored.
What to consider before installing
Before installing or using this skill: (1) Verify you have parallel-cli installed and know how it is authenticated—ask the skill author whether an API key (e.g., PARALLEL_API_KEY) or CLI login is required and where that credential is stored. (2) Treat the absence of declared binaries/credentials as a red flag: do not assume the skill is self-contained. (3) Run the CLI locally on a small non-sensitive dataset first to confirm behavior (what is sent to the network, monitoring URLs, and output format). (4) Be cautious about file paths: the skill instructs spawning sub-agents to read files—ensure those tools only access intended files and that no sensitive files are in the same directories. (5) If you need higher assurance, ask the publisher for provenance (author identity, source repo or install instructions) or prefer an officially published integration from Parallel.ai that documents auth and installation.

Like a lobster shell, security has layers — review code before you run it.

latestvk97a5tbrzczwyjtb8yk32pfaqh80fzna

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments