ClawHub

Parallel 1.0.1

v1.0.0

High-accuracy web search and research via Parallel.ai API. Optimized for AI agents with rich excerpts and citations.

1· 1.5k·0 current·0 all-time
by@pntrivedy·duplicate of @mvanhorn/parallel
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Name/description match the code: both scripts call Parallel.ai endpoints and the SKILL.md shows the Parallel SDK. However the manifest declares no required binaries or env vars while the shipped shell script requires curl and jq and the Python code requires the parallel SDK/pip package. That mismatch (manifest says 'none' but files clearly need these tools) is inconsistent.
Instruction Scope
SKILL.md stays within the stated scope (how to call the Parallel SDK and examples). The runtime scripts perform only search/research operations against api.parallel.ai. Nothing in SKILL.md instructs the agent to read unrelated system files. Still, the example uses {baseDir}/scripts/search.py and the shell script will call curl/jq — the instructions omit those runtime details and the presence of a baked-in API key is not documented in the SKILL.md.
Install Mechanism
There is no install spec (instruction-only), which minimizes disk-write risk. SKILL.md does ask to pip install the Parallel SDK (parallel-web); that is a reasonable, proportional dependency for this skill.
!
Credentials
The code uses an environment variable PARALLEL_API_KEY but the registry metadata lists no required env vars. Worse, both scripts include a hardcoded API key fallback ("y2s_m4er5i6-5qCikOLUtmnkvOYRU24eDphq_jg1"). Embedding a live-looking API key in code is a red flag: it may be a leaked/privileged credential (billing/tracking risk), or it may allow the skill author to monitor or bill API usage. The skill asks network access to an external API (expected for a search skill) but does not declare or justify the embedded key.
Persistence & Privilege
The skill does not request permanent presence (always:false) and does not modify other skills or system configs. It does allow autonomous invocation (platform default), which increases blast radius but is not itself unusual.
What to consider before installing
This skill appears to do what it says (wrap the Parallel.ai search API) but contains two practical inconsistencies you should care about: (1) both scripts provide a hardcoded API key fallback — treat that as suspicious (it could be a leaked or shared credential that enables tracking, billing, or unauthorized access). (2) The shell script uses curl and jq and the Python script requires the 'parallel' SDK, yet the registry declares no required binaries/env vars. Before installing: ask the author to remove the embedded API key and to document required binaries and environment variables. If you still want to use it, set your own PARALLEL_API_KEY in your environment and verify the key's permissions and billing implications; audit network traffic to api.parallel.ai and review Parallel.ai's privacy/policy. If you cannot validate the origin of the embedded key or the author's identity, do not install or run these scripts with sensitive queries or on a system where unauthorized API usage would be a problem.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ehb2ywy97aj5nxtbpk4aq8s7zybs8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔬 Clawdis

Comments