ClawHub

Listenhub

Security checks across malware telemetry and agentic risk

Overview

This skill appears to provide the promised media-generation features, but its setup path can modify shell startup files and run package-manager installs, so it needs user review before installation.

Install only if you trust ListenHub/Marswave and are comfortable with shell scripts sending your content to external APIs. Install curl and jq yourself first, avoid allowing automatic sudo/package-manager installs, use a revocable API key, and do not submit confidential text, private URLs, or sensitive images. Check your shell rc files for LISTENHUB_API_KEY entries if you stop using the skill.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (15)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill invokes shell scripts and networked APIs but does not declare permissions or clearly scope those capabilities. This weakens user and platform visibility into what the skill can do, increasing the chance of unexpected command execution, outbound data transfer, and unsafe environmental side effects during normal use.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented purpose presents a simple media-generation skill, but the instructions also authorize modifying shell startup files, prompting for secrets, writing local files, attempting dependency installation, polling remote jobs, and contacting external update infrastructure. This mismatch is dangerous because users and orchestrators may grant trust based on the benign description while the skill performs broader system and network actions with persistence and supply-chain implications.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The script reads from multiple shell startup files and persistently writes LISTENHUB_API_KEY and LISTENHUB_OUTPUT_DIR into the user's shell configuration. For an image-generation skill, this host inspection and persistence behavior exceeds the minimally necessary scope and creates unnecessary credential exposure and lasting system modification risk.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script auto-installs jq and curl using platform package managers, including sudo and noninteractive flags, which is a significant host-modification capability unrelated to safely generating an image. This can alter the system state, trigger privilege elevation prompts, and execute package-management commands without explicit user approval.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill is presented as content creation, but the script performs first-run configuration that persistently changes the local environment by editing shell profile files. This mismatch between declared purpose and actual system behavior increases risk because users would not reasonably expect ongoing host configuration changes from a simple image-generation tool.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The library automatically reads LISTENHUB_API_KEY from ~/.zshrc or ~/.bashrc, which is broader credential access than necessary for a media-generation skill and reaches into unrelated user configuration files. Even though it avoids eval and only extracts a specific variable, it still performs implicit secret discovery from shell startup files without clear user consent, increasing the chance of unintended credential exposure or use.

Context-Inappropriate Capability

Low
Confidence
88% confidence
Finding
The script performs an automatic outbound version check to GitHub on load, which is unrelated to the core task of generating podcasts or narration and creates unexpected network activity. While the check is notify-only and does not auto-update, it still discloses usage metadata such as IP address and timing to a third party whenever the library is sourced.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The trigger phrases are so broad that ordinary requests like explaining, reading aloud, generating an image, or sharing knowledge may invoke the skill unintentionally. In this skill's context, accidental activation is more dangerous because invocation can lead to network transmission of user content, external URL fetching, local file writes, shell execution, and possible config changes.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script takes arbitrary user-supplied content and sends it to an external ListenHub API endpoint via `api_post` without any explicit notice, confirmation, or consent mechanism at the point of transmission. In a skill that may receive sensitive text, pasted documents, or proprietary material, this creates a real privacy and data-handling risk because users may not realize their input leaves the local environment and is processed by a third party.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script packages user-provided query text, source URLs, and source text into a JSON body and sends them to a remote API via api_post. In a skill explicitly handling articles, links, and freeform text, this network transmission is expected, but the lack of an explicit user-facing disclosure can still create a privacy/data-handling risk if users provide sensitive content assuming local-only processing.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script takes arbitrary speech content from a file or stdin and posts it to an external ListenHub API via `api_post "speech" "$BODY"` without any explicit notice, confirmation, or guardrail about off-device data transmission. In a skill that accepts freeform text, URLs, and potentially sensitive material for narration, this can cause users or downstream callers to unknowingly exfiltrate confidential content to a third-party service.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script transmits user-supplied text or URLs to the external ListenHub API via `api_post` without any explicit notice, confirmation, or consent mechanism at the point of execution. In a skill that may be used with arbitrary user-provided articles, links, or text, this creates a real privacy and data-handling risk because users may unintentionally send sensitive or proprietary content to a third-party service.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script prompts for an API key and stores it in a shell startup file without clearly warning that the credential will be persisted in plaintext for future sessions. Persisting secrets this way increases the chance of accidental disclosure through local file access, backups, shell dotfile syncing, or later debugging and sharing.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script modifies user shell configuration files during normal execution flow without a strong advance warning or explicit confirmation that persistent profile changes will be made. Silent or weakly disclosed profile editing can surprise users, break shell configuration, and create trust and integrity issues on the host.

Missing User Warnings

High
Confidence
99% confidence
Finding
The dependency check path automatically executes package-manager installation commands when tools are missing, with no explicit confirmation step. Running install commands automatically is dangerous because it changes the system state, may require elevated privileges, and can be abused or cause unintended package operations on the user's machine.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal