ListenHub
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: listenhub-ai Version: 0.6.0 The skill is classified as suspicious due to the `generate-image.sh` script's capability to auto-install dependencies (`jq`, `curl`) using system package managers (e.g., `sudo apt-get install`) and to write configuration (API key, output directory) directly into the user's shell RC files (`~/.zshrc`, `~/.bashrc`). While these actions are intended for user convenience and configuration, they represent high-risk capabilities that could be exploited if the script or its inputs were compromised, potentially leading to unauthorized command execution or persistence. There is no clear evidence of intentional malicious behavior like data exfiltration or backdoors, but the broad permissions requested for auto-installation and direct modification of shell configuration files elevate the risk beyond benign.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running image generation could unexpectedly modify the local system or ask for administrator privileges to install packages.
The image helper contains a dependency setup path that can run package-manager commands, including sudo and eval, when curl/jq are missing. This is not clearly declared by the registry requirements or SKILL.md.
echo " Auto-installing..." ... install_cmd="sudo apt-get update && sudo apt-get install -y ${missing_deps[*]}" ... if eval "$install_cmd"; thenRequire explicit user approval before any package install, remove automatic installation, and declare curl/jq requirements in metadata.
The API key may remain stored in a shell profile after the task, making it available to future shells or processes on the machine.
The image setup routine prompts for an API key and persists it into a shell startup file, while the registry metadata declares no primary credential or required environment variable.
echo -n " Please paste your API key: " >&2; read -r api_key ... echo "export LISTENHUB_API_KEY=\"$api_key\"" >> "$shell_rc"
Declare the credential requirement, prefer OpenClaw/secret-store configuration, and ask clearly before saving any API key to shell startup files.
Image prompts, reference-image URLs, and possibly credentials may be sent to a service name different from what the user expects.
The skill describes image generation as via ListenHub, but the image script is branded Labnana and targets a Labnana API host, which is not clearly disclosed to the user.
# Labnana Image Generation Script ... API_ENDPOINT="https://api.labnana.com/openapi/v1/images/generation"
Disclose the Labnana/Marswave relationship and destination host in SKILL.md, or route image generation through the same documented ListenHub API.
Content provided to the skill will be processed by the external ListenHub/Marswave service.
The skill sends user-provided prompts, text, URLs, and scripts to an external API with the user's API key. This is expected for a media-generation service, but users should understand the data flow.
curl -sS -X POST "${API_BASE}/${endpoint}" -H "Authorization: Bearer ${LISTENHUB_API_KEY}" ... -d "$body"Avoid submitting private or sensitive content unless you are comfortable with the provider processing it.