Explainer
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill is a coherent explainer-video generator that uses a ListenHub API key and external API calls, with no artifact-backed malicious behavior found.
This skill appears reasonable for creating explainer videos. Before using it, make sure you trust the ListenHub/Marswave service with your prompt content and API key, review any referenced shared configuration/authentication docs if available, and avoid submitting sensitive material unless the provider's privacy terms are acceptable.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing and using the skill requires giving the agent access to a service API key that can submit generation jobs on the user's account.
The skill requires a ListenHub API key and uses it as a bearer token for API calls. This is expected for the stated service integration, but it is account-level credential use.
requires:\n env: ["LISTENHUB_API_KEY"] ... -H "Authorization: Bearer $LISTENHUB_API_KEY"
Use a dedicated, least-privileged API key if available, and avoid sharing or logging the key.
The agent may start a background polling command after the user confirms generation, using local shell tools and the API key.
The skill instructs the agent to run shell commands for API polling. The command is disclosed, bounded, and aligned with waiting for video generation results.
Poll (background): Run the following exact bash command with `run_in_background: true` and `timeout: 600000` ... curl ... jq
Confirm generation only when you are comfortable with the agent making the background API polling request.
Some referenced operating instructions are outside the provided artifact set, so users cannot review all referenced guidance here.
The skill depends on shared reference files for authentication, polling, and config behavior, but those shared files are not included in the provided file manifest.
Always read `shared/authentication.md` ... Follow `shared/common-patterns.md` ... Always read config following `shared/config-pattern.md`
Review the referenced shared files in the installed environment before relying on the skill, especially authentication and config handling.
Any text or topic provided for the explainer may be sent to the external generation service.
The workflow sends the user's topic or content to an external storybook/video-generation API. This is necessary for the skill's purpose and requires explicit confirmation before generation.
POST /storybook/episodes with content, speaker, language, mode
Do not submit confidential or regulated content unless you trust the provider and its data handling terms.
Preferences may persist across future uses of the skill and affect later generation defaults.
The skill creates a persistent local configuration file and later stores user preferences such as default speakers. The stored data appears limited and purpose-aligned.
echo '{"outputDir":".listenhub","outputMode":"inline","language":null,"defaultStyle":null,"defaultSpeakers":{}}' > ".listenhub/explainer/config.json"Review or delete .listenhub/explainer/config.json if you want to reset saved defaults.