Listenhub
WarnAudited by ClawScan on May 10, 2026.
Overview
Listenhub mostly matches its media-generation purpose, but it can automatically change the local system and includes a conditional self-update path that could replace reviewed scripts.
Review the scripts before installing. If you use it, be prepared for API-key setup and external upload of your prompts/text/URLs, and do not let the image script auto-install packages or auto-updated scripts unless you explicitly trust those changes.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running image generation could install or modify system packages before the user has explicitly approved an installation step.
If jq or curl is missing, the script does not merely instruct the user; it constructs and executes package-manager commands, including sudo/non-interactive installs on some platforms.
echo " Auto-installing..." ... install_cmd="sudo apt-get update && sudo apt-get install -y ${missing_deps[*]}" ... if eval "$install_cmd"; thenDeclare required binaries in metadata and make dependency installation opt-in, with a clear confirmation prompt and manual install instructions.
A future run could execute script code that differs from the reviewed artifact if the update path is activated.
The shared library contains a non-interactive auto-update path that can download scripts from GitHub and replace local executable scripts. The provided manifest lacks a VERSION file, so activation is conditional, but the supply-chain path is present.
REMOTE_VERSION_URL="https://raw.githubusercontent.com/marswaveai/skills/main/skills/listenhub/VERSION" ... curl -fsSL --max-time 10 "$base_url/scripts/$script_name" -o "$SCRIPT_DIR/$script_name.tmp" ... mv -f "$script_tmp" "$script" && chmod +x "$script"
Remove automatic script replacement, or make updates explicit, signed, and user-approved with pinned versions.
Generated content requests will be made under the user's ListenHub account and may expose submitted prompts/text/URLs to the provider.
The scripts require and use a local ListenHub API key for authenticated provider requests, which is expected for this service but still gives the skill account-level authority for generated media requests.
check_api_key() { if [ -z "${LISTENHUB_API_KEY:-}" ]; then ... } ... -H "Authorization: Bearer ${LISTENHUB_API_KEY}"Use a revocable API key, avoid submitting private material unless you trust the provider, and revoke the key if you uninstall or stop using the skill.