Parallel AI Skill
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill mostly wraps Parallel.ai research APIs, but it embeds an API key and includes under-documented persistent monitoring and remote MCP credential features.
Install only if you are comfortable sending research queries to Parallel.ai. Prefer setting your own PARALLEL_API_KEY, avoid relying on the embedded key, and do not use monitor/webhook or BrowserUse/MCP features unless you intentionally want persistent external tracking or authenticated browsing and understand the costs and data sharing.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Searches may run under a shared or publisher-controlled Parallel.ai credential, making billing, quota, audit ownership, and credential exposure unclear.
The search script falls back to an embedded provider API key instead of requiring a user-controlled credential, despite the registry metadata declaring no primary credential or required environment variable.
API_KEY = os.environ.get("PARALLEL_API_KEY", "y2s_m4er5i6-...")Remove the embedded key, rotate it if it is real, require users to provide their own PARALLEL_API_KEY, and declare that credential in the metadata.
A monitor could continue running on the external service after the initial task, potentially generating costs or sending monitored results to a webhook until it is deleted.
The script can create recurring external monitors and optional webhooks, but this persistent behavior is not described in SKILL.md or README.md.
Parallel.ai Monitor API - Continuous web tracking with alerts ... create "Track AI funding news" --cadence daily ... --webhook https://...
Document monitor creation prominently, require explicit user confirmation before creating webhooks or recurring monitors, and provide clear list/delete guidance.
Authenticated browsing tasks may share a BrowserUse credential and task context across external services, with unclear boundaries for what pages or sessions can be accessed.
When a BrowserUse key is present, the task script builds a remote MCP server configuration with a bearer token and sends it as part of the Parallel task request, which is not covered by the main skill documentation.
browseruse_key = args.browseruse_key or os.environ.get("BROWSERUSE_API_KEY") ... "url": "https://api.browser-use.com/mcp", "headers": {"Authorization": f"Bearer {browseruse_key}"}Clearly document the BrowserUse/MCP data flow, require explicit opt-in for authenticated browsing, and explain which credentials are sent to which service.
The installed SDK version may vary over time, and users must trust the package source they install from.
The setup uses an external, unpinned Python package and there is no install spec or lockfile in the provided artifacts; this is common for SDK wrappers but leaves dependency provenance/versioning to the user.
pip install parallel-web
Pin dependency versions, provide an install spec or requirements file, and document required binaries and environment variables.