Listenhub
ReviewAudited by ClawScan on May 10, 2026.
Overview
ListenHub mostly does what it claims, but its image-generation script can automatically install system packages and the skill relies on an undeclared local API key setup.
Install only if you are comfortable sending selected text, URLs, prompts, and media-generation inputs to the provider, storing a ListenHub API key locally, and reviewing any dependency installation before it runs. Consider installing jq/curl yourself and setting LISTENHUB_API_KEY manually instead of relying on the script's auto-setup.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using image generation on a system missing jq or curl could modify the local system and invoke privileged installers without a separate, explicit install step.
The image script attempts to auto-install missing dependencies with system package managers and executes the constructed install command, even though the registry declares no required binaries or install mechanism.
echo " Auto-installing..." ... install_cmd="sudo apt-get update && sudo apt-get install -y ${missing_deps[*]}" ... if eval "$install_cmd"; thenDeclare jq/curl as requirements and replace automatic installation with clear instructions or an explicit user approval prompt; avoid eval for installer execution.
The skill can use the user's ListenHub account/API credits, and the key must be protected like any other service credential.
The scripts require a local ListenHub API key and transmit it as a bearer token to the provider API. This is expected for the integration, but the registry metadata lists no primary credential or required environment variable.
Error: LISTENHUB_API_KEY not set ... -H "Authorization: Bearer ${LISTENHUB_API_KEY}"Use a scoped, rotatable API key if available, set it manually in a secure environment, and do not share or paste the full key into chat output.
Prompts, article text, and supplied URLs may leave the local machine and be processed by the provider.
The skill discloses that user text and URLs are sent to an external API for generation, which is purpose-aligned but important for users to notice.
User-provided content (text, URLs) is transmitted to the ListenHub API (`api.marswave.ai`) for processing. Do not pass sensitive or confidential information as input.
Do not submit confidential, private, or regulated content unless you trust the provider and its data-handling terms.
The API key may remain readable in shell configuration files until the user removes or rotates it.
The image setup stores the API key persistently in a shell startup file. This is disclosed as auto-save behavior, but it leaves a long-lived local credential.
read -r api_key ... echo "export LISTENHUB_API_KEY=\"$api_key\"" >> "$shell_rc"
Prefer a secrets manager or carefully managed environment variable, and remove the shell rc entry if uninstalling or rotating the key.