Trust Assessment
parallel-ai-search received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 2 critical, 1 high, 0 medium, and 0 low severity. Key findings include Potential Command Injection via `exec` tool arguments, Arbitrary file read via `--request` argument, API Key exfiltration and SSRF via user-controlled `--base-url`.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 25/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Potential Command Injection via `exec` tool arguments The skill instructs the host LLM to use the `exec` tool to run Node.js scripts, passing user-controlled arguments directly. If the `exec` tool does not properly escape these arguments before passing them to the shell, a malicious user could inject arbitrary shell commands. For example, an objective like `--objective "foo; rm -rf /"` could lead to arbitrary code execution on the host system. While the Node.js `parseCli` function is robust against shell injection *after* Node.js starts, the vulnerability lies in the initial shell invocation by the `exec` tool. The OpenClaw `exec` tool should ensure that all user-controlled arguments are properly escaped for the shell environment before execution. Alternatively, consider using a more secure execution mechanism that avoids shell interpretation for arguments, or explicitly validate/sanitize user input for shell metacharacters before passing to `exec`. | LLM | SKILL.md:35 | |
| CRITICAL | API Key exfiltration and SSRF via user-controlled `--base-url` The `parallel-extract.mjs`, `parallel-search-extract.mjs`, and `parallel-search.mjs` scripts allow overriding the API base URL via the `--base-url` argument. The `postJson` function then makes a request to this user-controlled URL, including the `x-api-key` header which contains the `PARALLEL_API_KEY`. This allows a malicious user to specify an attacker-controlled server as the base URL, thereby exfiltrating the `PARALLEL_API_KEY` to their server. Additionally, this capability enables Server-Side Request Forgery (SSRF), allowing the agent to make requests to internal network resources or other external services on behalf of the attacker. Do not allow users to override the API base URL. If overriding is strictly necessary for development/testing, ensure it's restricted to a whitelist of trusted URLs or only enabled in non-production environments. The `PARALLEL_API_KEY` should never be sent to an untrusted or user-controlled endpoint. | LLM | scripts/_lib.mjs:147 | |
| HIGH | Arbitrary file read via `--request` argument The `parallel-extract.mjs`, `parallel-search-extract.mjs`, and `parallel-search.mjs` scripts accept a `--request` argument, which specifies a path to a JSON file to be loaded. The `loadRequestJson` function, which uses `readTextFile`, does not validate or restrict the provided file path. This allows a malicious user to specify an arbitrary file path (e.g., `/etc/passwd`, `~/.ssh/id_rsa`) and read its contents. While the content is intended to be parsed as JSON, even invalid JSON might be logged or cause errors that reveal parts of the file. This constitutes a data exfiltration vulnerability. Restrict the `--request` argument to only allow paths within a designated, secure data directory. Implement strict path validation (e.g., disallow `..`, absolute paths outside a sandbox). Consider using a virtual filesystem or a more controlled input mechanism if arbitrary file loading is truly necessary. | LLM | scripts/_lib.mjs:121 |
Scan History
Embed Code
[](https://skillshield.io/report/8f17a1e963ec1466)
Powered by SkillShield