Listenhub
WarnAudited by ClawScan on May 10, 2026.
Overview
Listenhub largely matches its media-generation purpose, but its image-generation script can automatically install local packages and modify shell setup, so it deserves review before use.
Use this skill only if you are comfortable sending the selected content or URLs to the provider and using a ListenHub API key. Before image generation, inspect or disable the automatic dependency installation path and consider manually installing jq/curl. Avoid confidential inputs, be aware of possible subscription/credit use, and note that the provided generate-image.sh artifact was truncated in the review context.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running image generation on a machine missing dependencies could modify the local system and request elevated privileges.
The image script can execute package-manager install commands, including sudo-based installs, as part of normal dependency checking rather than requiring a clearly declared install step or explicit user approval.
# If missing dependencies, auto-install ... install_cmd="sudo apt-get update && sudo apt-get install -y ${missing_deps[*]}" ... if eval "$install_cmd"; thenManually review or install dependencies first, and the maintainer should move dependency installation into a declared install flow or require clear confirmation before running package-manager commands.
Anyone using the skill must trust it with their ListenHub API key and should treat generated requests as account-authorized actions.
The scripts require a local API key and send it as a bearer token to the provider, which is expected for the service but is still credential-bearing behavior.
check_api_key() { ... Error: LISTENHUB_API_KEY not set ... } ... -H "Authorization: Bearer ${LISTENHUB_API_KEY}"Use a scoped/revocable API key if available, avoid sharing terminal output that might expose credentials, and revoke the key if you stop using the skill.
Podcast, TTS, explainer, and related inputs may be processed by an external service.
The skill clearly discloses that user content and URLs leave the local environment for provider-side processing.
User-provided content (text, URLs) is transmitted to the ListenHub API (`api.marswave.ai`) for processing. Do not pass sensitive or confidential information as input.
Do not submit confidential, private, or regulated content unless you are comfortable with the provider receiving it.
Running a script may contact GitHub for update information, revealing ordinary network metadata such as IP address and timing.
Each script may perform a read-only remote version check against GitHub; the SKILL.md discloses this and provides an opt-out.
REMOTE_VERSION_URL="https://raw.githubusercontent.com/marswaveai/skills/main/skills/listenhub/VERSION" ... response=$(curl -sS --max-time 5 ... "$REMOTE_VERSION_URL"
Set LISTENHUB_SKIP_VERSION_CHECK=1 if you do not want the version check.
A user might not be reminded that generation may consume account credits or paid quota.
The instruction aims to simplify the user experience, but mentioning that users do not need to know about credits could cause the agent to omit relevant subscription or usage-cost context.
Users don't need to know: Episode IDs, API structure, polling mechanisms, credits, endpoint differences.
Before generating media, confirm any credit or subscription impact when it matters to the user.