Content Parser
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill appears to do what it claims—extract URL content through an external API—but users should notice that it uses an API key, sends URLs to a provider service, runs bounded shell polling, and saves results locally.
This skill is reasonable for URL parsing if you trust the ListenHub/Marswave API service. Before installing, make sure you are comfortable providing the API key, sending target URLs to the external service, allowing a bounded background polling command, and saving extracted content files in the current directory.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can use your ListenHub API key to submit extraction jobs and consume account credits or quota.
The skill requires a service API key, which is expected for an API-backed content parser but gives the skill delegated access to that provider account.
requires:\n env: ["LISTENHUB_API_KEY"]\n primaryEnv: "LISTENHUB_API_KEY"
Use a dedicated, least-privileged API key if the provider supports it, and monitor provider usage or billing.
Private, signed, or sensitive URLs may be disclosed to the external extraction service if you ask the skill to parse them.
The skill sends the user-provided URL and extraction options to an external API and later retrieves the extracted content from that service.
POST /v1/content/extract ... "uri": "{url}" ... https://api.marswave.ai/openapi/v1/content/extract/$TASK_IDOnly submit URLs you are comfortable sending to the provider, and avoid private links unless that is intentional and permitted.
The agent may run a background command for up to about five minutes after you confirm extraction.
The skill instructs the agent to execute a shell polling loop using curl and jq; this is aligned with waiting for an API task and is time-bounded.
Run the following exact bash command with `run_in_background: true` and `timeout: 300000`
Install only if you are comfortable with the agent running bounded local shell commands for API polling.
The agent may lack the referenced guidance files unless they are supplied elsewhere by the runtime or platform.
The instructions depend on shared reference files that are not included in the provided file manifest, which makes some setup and error-handling details less self-contained.
Always read `shared/authentication.md` ... Follow `shared/common-patterns.md` ... Always read config following `shared/config-pattern.md`
Confirm that the platform provides the referenced shared files, or review them separately if available.