Research
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the user enables deep research or PDF export, they may expect to run helper commands whose implementation is not included in the reviewed artifacts.
The setup instructions ask users to put helper scripts on PATH, but the supplied artifact manifest contains no scripts or code files. This is a packaging/provenance gap rather than evidence of malicious behavior.
The CLI lives in this skill's `scripts/` folder. Symlink it ... ln -sf ~/.openclaw/skills/research/scripts/parallel-research ~/.local/bin/parallel-research
Before symlinking or running these helpers, confirm the scripts are present, readable, and from the expected skill package; prefer the user-local symlink over the sudo system-wide option.
Running the setup command would execute a third-party installer in the user's environment.
The setup guide includes a user-directed remote shell installer for uv. This is disclosed and dependency-related, but it executes code retrieved from the network.
curl -LsSf https://astral.sh/uv/install.sh | sh
Use a trusted package manager where possible, inspect the installer first, or verify the source before running curl-to-shell commands.
The API key may allow use of the user's Parallel AI account and potentially incur usage costs if used by the CLI.
Deep research setup stores and exports a Parallel AI API key. This is expected for the Parallel AI integration, but it is sensitive account authority and is not declared in the registry metadata.
echo "PARALLEL_API_KEY=your_key_here" > ~/.secrets/parallel_ai/.env ... echo 'export $(cat ~/.secrets/parallel_ai/.env | xargs)' >> ~/.bashrc
Use a minimally scoped key if available, keep the secrets file private, and rotate the key if it is exposed.
Research prompts or topics may be processed outside the local OpenClaw workspace.
Deep research sends the research question to an external provider and receives a report back. This is disclosed and aligned with the feature, but users should treat it as an external data flow.
Uses the Parallel AI API via `parallel-research` CLI. Takes minutes to hours, returns detailed markdown reports.
Avoid sending confidential or regulated information to deep research unless the provider and account settings are acceptable for that data.
The agent may wake up later, run the result-check command, and post back to the original channel.
The OpenClaw integration can schedule an autonomous follow-up agent turn to poll for deep-research results and reschedule if the task is still running. The job is disclosed and one-shot, but it is still background agent activity.
"message": "Check research task <run_id>. Run: parallel-research result <run_id>. If complete, summarize key findings. If still running, reschedule another check in 10 min.", ... "deleteAfterRun": true
Schedule auto-checks only when wanted, verify the target time and channel, and remove any lingering jobs after the research completes.
Future work based on the research document may be influenced by incomplete, stale, or source-biased findings.
The skill intentionally builds persistent research documents from ongoing findings and sources. This is core to the skill, but persistent notes can carry outdated or unverified information into later decisions.
The conversation is ephemeral; the document is what matters.
Keep source links, mark uncertainty clearly, and re-check important claims before using the document for high-impact decisions.