ClawHub
Back to skill

Security audit

Parallel

Security checks across malware telemetry and agentic risk

Overview

This is a real Parallel.ai research skill, but it contains a hidden fallback API key and under-disclosed optional capabilities that can send queries, credentials, monitor alerts, and webhook data to third parties.

Review before installing. Use your own PARALLEL_API_KEY, remove or verify the embedded key in scripts/search.py, and avoid setting BROWSERUSE_API_KEY unless you specifically want BrowserUse authenticated browsing. Treat all queries, URLs, objectives, task inputs, monitor events, and webhook payloads as data sent to external services, and create monitors only when you are prepared to manage and delete that persistent account state.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill demonstrates use of environment variables, network access, and shell commands but does not declare corresponding permissions or capability boundaries. This creates a transparency and policy-enforcement gap: users and hosting platforms may not realize the skill can transmit data externally or execute commands, increasing the risk of unintended data exposure or misuse.

Description-Behavior Mismatch

Medium
Confidence
78% confidence
Finding
The skill metadata describes web search and research, but this script implements persistent monitor creation, event retrieval, and deletion. That scope expansion matters because long-lived tracking and alerting can collect ongoing information and perform state-changing actions beyond a user's likely expectation for a research tool.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The script allows arbitrary webhook URLs to be registered for monitor notifications, enabling data from detected events to be pushed to external endpoints. In a skill presented as search/research functionality, this adds an outbound data transfer capability that could be abused to exfiltrate monitored content or send alerts to attacker-controlled infrastructure.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script embeds a hardcoded fallback Parallel API key directly in source code, which exposes a credential to anyone with access to the skill. In an agent skill context, this can cause unauthorized third-party API use, billing abuse, and makes the skill silently operate under the author's account rather than requiring explicit user configuration.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README clearly describes sending user prompts to Parallel.ai for web search and research, but it does not explicitly warn that user queries and possibly related context are transmitted to a third-party service. In an agent setting, users may assume searches are local or privacy-preserving, so this omission can lead to unintended disclosure of sensitive prompts, research topics, or embedded secrets.

Vague Triggers

Medium
Confidence
80% confidence
Finding
Using the generic trigger phrase "research" can cause the skill to activate for many ordinary user requests, including ones where the user did not intend to send content to an external search provider. In a skill that performs networked queries, overly broad activation increases the chance of accidental data disclosure and unexpected third-party API usage.

Vague Triggers

Medium
Confidence
73% confidence
Finding
The trigger phrase "deep search" is ambiguous and may overlap with generic assistant behavior or user phrasing unrelated to this specific tool. Ambiguous invocation can lead to accidental activation of an external networked skill, causing unintended query transmission and confusing tool-selection behavior.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The description emphasizes search quality and citations but does not tell users that their queries are sent to an external API provider. This lack of disclosure is important because users may include sensitive prompts, proprietary research topics, or personal data, assuming processing is local when it is not.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
This script transmits user-supplied URLs and an optional objective string to the remote Parallel.ai Extract API, but it provides no explicit warning, consent prompt, or guardrail about sending potentially sensitive internal URLs or confidential research prompts off-host. In an agent-skill context, users may assume extraction is local, so this can cause unintended disclosure of private targets, internal endpoints, or sensitive task context to a third party.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The delete operation performs an irreversible state change immediately based on a supplied monitor ID, with no confirmation prompt or dry-run safeguard. In an agent context, this increases the risk of accidental or prompt-induced destructive actions that remove monitoring configuration or evidence of prior activity.

Missing User Warnings

High
Confidence
98% confidence
Finding
Using a hidden fallback API key without disclosure means users and agents may unknowingly send queries through an embedded credential they do not control. This is dangerous because it obscures data flow, prevents informed consent, and can route sensitive research queries to a third-party account tied to the developer.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
When authenticated browsing is enabled, the script forwards user-supplied research queries and browsing targets to the external browser-use MCP endpoint using the provided bearer token. This creates a real data-flow/privacy risk because users are not explicitly warned at runtime that their prompts, URLs, and possibly retrieved content may be transmitted to a third-party service.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.