ClawHub

Listenhub

Security checks across malware telemetry and agentic risk

Overview

This media-generation skill mostly matches its purpose, but it needs review because it can make persistent local changes, install packages with elevated privileges, and contains an under-disclosed remote self-update path.

Review this skill before installing. Use it only if you are comfortable sending prompts, text, URLs, and image references to ListenHub/Marswave/Labnana services. Prefer installing curl and jq yourself, avoid uploading private local images to public image hosts, do not paste highly sensitive content, and consider removing or disabling the auto-install, shell-profile secret persistence, eval-based credential loading, and self-update code paths.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
Findings (26)

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill instructs the agent to upload local reference images to third-party hosting providers before generation. This creates an unnecessary data exfiltration path: local user files may contain sensitive content or metadata, and uploading them to unrelated external services exceeds what users would reasonably expect from a media-generation skill.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script automatically installs missing dependencies by constructing package-manager commands and executing them via eval, including sudo on Linux and noninteractive flags on some platforms. For a content-generation skill, silently modifying the host system and invoking privileged package installation exceeds expected scope and can lead to unintended system changes or privilege abuse.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The script reads secrets and configuration from multiple shell startup files, which are unrelated to the immediate image-generation task and may contain sensitive user state. Accessing and parsing shell RC files broadens the script's reach into user environment data and normalizes inspecting files that may hold credentials or other personal configuration.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill is branded and configured as ListenHub but the implementation targets Labnana/Marswave endpoints, creating a trust mismatch about where prompts and possibly referenced image URLs are sent. This is dangerous because users may believe data is handled by one provider while it is actually transmitted to another external service.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The setup flow tells users it is saving ListenHub configuration while the script actually sends data to Labnana, which is materially misleading during credential setup. Misleading messaging around credential entry and storage increases phishing-like risk and prevents informed consent about where authentication data will be used.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The library performs a silent self-update on load, downloading and replacing local scripts from remote GitHub endpoints without explicit user approval or integrity verification beyond HTTPS and basic version parsing. This creates a supply-chain and unexpected code-execution risk because a media-generation skill is modifying its own executable components outside the user’s requested task.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
This code fetches a remote script listing from the GitHub API and downloads replacement shell scripts into the local skill directory, then activates them by moving them into place and chmodding them executable. That is an unjustified self-modification capability for the stated skill purpose and materially increases remote code injection and supply-chain compromise risk.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The script reads shell startup files and evals lines matched by grep to populate LISTENHUB_API_KEY. Evaluating content derived from rc files is dangerous because those files may contain unexpected or attacker-controlled shell syntax, turning credential loading into arbitrary code execution.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger phrases are broad enough to overlap with many ordinary requests such as 'read this aloud' or 'generate an image,' increasing the chance the skill is invoked when the user did not intend to use it. Because the skill can perform network operations and local side effects, unintended activation raises the security significance beyond a mere UX issue.

Vague Triggers

Medium
Confidence
90% confidence
Finding
Auto-detecting mode from loosely phrased user input can cause the agent to choose podcast, TTS, explainer, or image generation without clear user confirmation. In a skill that may fetch remote content, store outputs, and interact with external services, that ambiguity can lead to unintended data processing or uploads.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill directs the agent to save draft and JSON files into the user's Downloads folder without clearly warning the user first. Silent local writes can expose sensitive generated content to other local users, backup systems, or syncing services, and they violate the principle of minimizing unexpected filesystem side effects.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script transmits user-supplied content to an external ListenHub API endpoint, but it does not present any explicit warning, confirmation, or consent mechanism before sending potentially sensitive text off-host. In a skill designed to process arbitrary user ideas, articles, or narration input, users may unknowingly submit confidential, proprietary, or personal data to a third-party service.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script transmits user-supplied text or URLs to an external ListenHub API endpoint, but it provides no explicit warning, confirmation, or consent step before sending potentially sensitive data off-host. In a skill designed to process arbitrary articles, text, and links, users may reasonably paste private or proprietary content, making silent exfiltration to a third-party service a genuine privacy and data-handling risk.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The script auto-installs dependencies without an explicit confirmation prompt, including privileged package-manager invocations. In the context of an agent skill, executing host-level software installation as a side effect of image generation is overreaching and can unexpectedly alter the system or trigger privilege escalation workflows.

Missing User Warnings

High
Confidence
99% confidence
Finding
The script writes the API key and output directory directly into the user's shell startup file without an explicit confirmation step, permanently modifying login behavior and persisting secrets in plaintext. Persisting credentials in broadly sourced RC files increases exposure to local disclosure, accidental commits, and unintended reuse by unrelated processes.

Missing User Warnings

High
Confidence
98% confidence
Finding
The library automatically downloads and overwrites local script files during normal execution without meaningful notice, consent, or an allowlist of exact expected files. In context, this is more dangerous because the skill claims media-generation functionality, not ongoing code management, so users would not reasonably expect executable changes at runtime.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script silently inspects ~/.zshrc or ~/.bashrc and evals matching export lines to obtain a credential. This is risky because it accesses sensitive configuration without prior warning and may execute arbitrary shell content if the matched line is malformed or maliciously crafted.

External Transmission

Medium
Category
Data Exfiltration
Content
fi

# Configuration
API_ENDPOINT="https://api.labnana.com/openapi/v1/images/generation"
AGENT_SKILLS_CLIENT_ID="PJBkELS1o_q9nJ~NzF2_Fmr21TNX&~eoJR49FFdFhD3U"
MAX_RETRIES=3
INITIAL_TIMEOUT=600
Confidence
88% confidence
Finding
https://api.labnana.com/

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
elif command -v dnf &>/dev/null; then
          install_cmd="sudo dnf install -y ${missing_deps[*]}"
        elif command -v pacman &>/dev/null; then
          install_cmd="sudo pacman -S --noconfirm ${missing_deps[*]}"
        else
          echo "Error: No supported package manager detected" >&2
          echo "  Please install manually: ${missing_deps[*]}" >&2
Confidence
97% confidence
Finding
--noconfirm

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
linux)
        # Detect Linux distribution
        if command -v apt-get &>/dev/null; then
          install_cmd="sudo apt-get update && sudo apt-get install -y ${missing_deps[*]}"
        elif command -v yum &>/dev/null; then
          install_cmd="sudo yum install -y ${missing_deps[*]}"
        elif command -v dnf &>/dev/null; then
Confidence
98% confidence
Finding
sudo

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
linux)
        # Detect Linux distribution
        if command -v apt-get &>/dev/null; then
          install_cmd="sudo apt-get update && sudo apt-get install -y ${missing_deps[*]}"
        elif command -v yum &>/dev/null; then
          install_cmd="sudo yum install -y ${missing_deps[*]}"
        elif command -v dnf &>/dev/null; then
Confidence
98% confidence
Finding
sudo

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
if command -v apt-get &>/dev/null; then
          install_cmd="sudo apt-get update && sudo apt-get install -y ${missing_deps[*]}"
        elif command -v yum &>/dev/null; then
          install_cmd="sudo yum install -y ${missing_deps[*]}"
        elif command -v dnf &>/dev/null; then
          install_cmd="sudo dnf install -y ${missing_deps[*]}"
        elif command -v pacman &>/dev/null; then
Confidence
97% confidence
Finding
sudo

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
elif command -v yum &>/dev/null; then
          install_cmd="sudo yum install -y ${missing_deps[*]}"
        elif command -v dnf &>/dev/null; then
          install_cmd="sudo dnf install -y ${missing_deps[*]}"
        elif command -v pacman &>/dev/null; then
          install_cmd="sudo pacman -S --noconfirm ${missing_deps[*]}"
        else
Confidence
97% confidence
Finding
sudo

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
elif command -v dnf &>/dev/null; then
          install_cmd="sudo dnf install -y ${missing_deps[*]}"
        elif command -v pacman &>/dev/null; then
          install_cmd="sudo pacman -S --noconfirm ${missing_deps[*]}"
        else
          echo "Error: No supported package manager detected" >&2
          echo "  Please install manually: ${missing_deps[*]}" >&2
Confidence
98% confidence
Finding
sudo

Tool Parameter Abuse

High
Category
Tool Misuse
Content
elif command -v dnf &>/dev/null; then
          install_cmd="sudo dnf install -y ${missing_deps[*]}"
        elif command -v pacman &>/dev/null; then
          install_cmd="sudo pacman -S --noconfirm ${missing_deps[*]}"
        else
          echo "Error: No supported package manager detected" >&2
          echo "  Please install manually: ${missing_deps[*]}" >&2
Confidence
98% confidence
Finding
--noconfirm

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal