ListenHub
ReviewAudited by ClawScan on May 10, 2026.
Overview
ListenHub mostly matches its media-generation purpose, but the image helper includes under-disclosed system setup, credential persistence, and a different Labnana API endpoint that users should review first.
Review the image script before use. Set LISTENHUB_API_KEY yourself through a trusted secret/env mechanism, install curl/jq manually if needed, and only submit prompts, text, URLs, or images you are comfortable sending to the documented provider endpoints.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running image generation could unexpectedly modify the local system or ask for administrator privileges to install packages.
The image helper contains a dependency setup path that can run package-manager commands, including sudo and eval, when curl/jq are missing. This is not clearly declared by the registry requirements or SKILL.md.
echo " Auto-installing..." ... install_cmd="sudo apt-get update && sudo apt-get install -y ${missing_deps[*]}" ... if eval "$install_cmd"; thenRequire explicit user approval before any package install, remove automatic installation, and declare curl/jq requirements in metadata.
The API key may remain stored in a shell profile after the task, making it available to future shells or processes on the machine.
The image setup routine prompts for an API key and persists it into a shell startup file, while the registry metadata declares no primary credential or required environment variable.
echo -n " Please paste your API key: " >&2; read -r api_key ... echo "export LISTENHUB_API_KEY=\"$api_key\"" >> "$shell_rc"
Declare the credential requirement, prefer OpenClaw/secret-store configuration, and ask clearly before saving any API key to shell startup files.
Image prompts, reference-image URLs, and possibly credentials may be sent to a service name different from what the user expects.
The skill describes image generation as via ListenHub, but the image script is branded Labnana and targets a Labnana API host, which is not clearly disclosed to the user.
# Labnana Image Generation Script ... API_ENDPOINT="https://api.labnana.com/openapi/v1/images/generation"
Disclose the Labnana/Marswave relationship and destination host in SKILL.md, or route image generation through the same documented ListenHub API.
Content provided to the skill will be processed by the external ListenHub/Marswave service.
The skill sends user-provided prompts, text, URLs, and scripts to an external API with the user's API key. This is expected for a media-generation service, but users should understand the data flow.
curl -sS -X POST "${API_BASE}/${endpoint}" -H "Authorization: Bearer ${LISTENHUB_API_KEY}" ... -d "$body"Avoid submitting private or sensitive content unless you are comfortable with the provider processing it.