Parallel AI Skill

Name/description align with the included scripts (search, extract, task, monitor, findall). However the registry metadata declares no required env vars or binaries while almost every script requires PARALLEL_API_KEY (and some optionally BROWSERUSE_API_KEY). The shell script also uses curl/jq but the skill metadata does not list required binaries.

Runtime instructions and scripts stay within the stated goal of interacting with Parallel.ai (search, extraction, tasks, monitors). They do not attempt to read unrelated local files or secrets, but they do allow sending data to arbitrary webhook URLs (monitor.create) and can be configured to use third-party authenticated browsing (browser-use.com). Those features are plausible for a monitoring/research tool but expand the blast radius and require care when supplying webhook URLs or browser-use credentials.

No install spec is provided (instruction-only/inline usage), which is low-risk, but the package includes multiple executable scripts. Because the skill ships code but has no declared install steps, users may run the included scripts directly; the scripts call external network endpoints. No external downloads or obscure URLs are used.

Discrepancy between metadata (no required env vars) and code: scripts require PARALLEL_API_KEY and some accept BROWSERUSE_API_KEY. Critically, scripts/search.py contains a hard-coded API key string as a default value — this is unexpected for a search client and may represent a leaked/test key or a backdoor allowing requests to run under the author's account. The hard-coded key is disproportionate and creates both functional and security concerns.

The skill does not request always:true, does not modify other skills, and does not request persistent platform privileges. It behaves like a normal task/utility client that can be invoked by the agent.