Trust Assessment
parallel received a trust score of 58/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 6 findings: 2 critical, 2 high, 1 medium, and 1 low severity. Key findings include Potential hardcoded secret (high entropy), Hardcoded API Key in Shell Script, Command Injection via User Input in Shell Script.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 8/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings6
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Command Injection via User Input in Shell Script User-provided input (e.g., `$QUERY`, `$COMPANY`, `$PERSON`) is directly embedded into a JSON string within a `curl -d` command without proper escaping. An attacker can inject arbitrary shell commands by including shell metacharacters (e.g., `$(command)`) in their input, leading to execution of malicious code on the host system. Sanitize or properly escape all user-provided input before embedding it into shell commands or JSON payloads. For JSON, use a tool like `jq` to construct the JSON securely, e.g., `jq -n --arg input "$input" '{"processor": "base", "input": $input}'`. | LLM | scripts/parallel.sh:20 | |
| CRITICAL | Command Injection via Run ID in Shell Script The `RUN_ID` provided by the user for the `status` command is directly embedded into the URL path of a `curl` command. An attacker can inject arbitrary shell commands by providing a `RUN_ID` that contains shell metacharacters (e.g., `123; ls -la`), leading to execution of malicious code on the host system. Validate the `RUN_ID` to ensure it conforms to expected patterns (e.g., alphanumeric) or properly quote/escape it before embedding it into the URL. It's best to strictly validate input that will be used in shell commands. | LLM | scripts/parallel.sh:90 | |
| HIGH | Hardcoded API Key in Shell Script The `API_KEY` is hardcoded as a default value in the `parallel.sh` script. If the `PARALLEL_API_KEY` environment variable is not set, this default key will be used. Distributing this script with a hardcoded key makes the API key publicly accessible, posing a significant security risk. Remove the hardcoded default API key. The script should strictly require the `PARALLEL_API_KEY` environment variable to be set, or retrieve it from a secure secret management system. | LLM | scripts/parallel.sh:5 | |
| HIGH | Hardcoded API Key in Python Script The `API_KEY` is hardcoded as a default value in the `search.py` script. If the `PARALLEL_API_KEY` environment variable is not set, this default key will be used. Distributing this script with a hardcoded key makes the API key publicly accessible, posing a significant security risk. Remove the hardcoded default API key. The script should strictly require the `PARALLEL_API_KEY` environment variable to be set, or retrieve it from a secure secret management system. | LLM | scripts/search.py:10 | |
| MEDIUM | Potential hardcoded secret (high entropy) A high-entropy string (entropy=4.77) was found in a credential-like context. Verify this is not a hardcoded secret. Use environment variables for sensitive values. | Static | skills/pntrivedy/parallel-1-0-1/scripts/parallel.sh:7 | |
| LOW | Unpinned Python Dependency The `parallel-web` Python dependency is not pinned to a specific version. This introduces a supply chain risk where future updates or potentially malicious versions of the package could be inadvertently installed, leading to unexpected behavior or security vulnerabilities. Pin the `parallel-web` dependency to a specific, known-good version (e.g., `parallel-web==1.2.3`) in a `requirements.txt` file or similar dependency management configuration. | LLM | SKILL.md:9 |
Scan History
Embed Code
[](https://skillshield.io/report/ea1c521a9c56e7f2)
Powered by SkillShield