ClawHub

parallect-ai-deep-research

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed paid research connector with real cost and data-sharing considerations, but the artifacts do not show hidden, destructive, or deceptive behavior.

Install this only if you are comfortable giving OpenClaw a Parallect API key, sending research prompts to Parallect and its provider network, and allowing confirmed research jobs to spend credits. Set a clear budget tier, monitor usage, and avoid submitting secrets or sensitive business, personal, or regulated data unless that sharing is acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The README advertises very broad natural-language triggers such as "look this up" and "find out about," which can cause the skill to activate when the user did not explicitly intend to invoke an external paid research workflow. In this skill's context, unintended activation is more concerning because it can lead to external data transmission to a third-party service and potentially incur cost.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger phrases include very common language such as 'look this up', 'find out about', 'deep dive on', and 'what do we know about', which can match ordinary conversational requests that do not clearly indicate consent to invoke a paid external research tool. In this skill, unintended invocation is more dangerous because the tool can spend user funds and send user queries to third-party providers, creating both billing and data-exposure risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal