The Agent Skills Directory

[REMOTE_CODE_EXECUTION] (HIGH): The file scripts/lib.sh contains a check_version function that automatically downloads scripts from an external GitHub repository and replaces the local skill files. This allows for arbitrary code to be pushed to and executed on the host system via the update mechanism.
Evidence: lib.sh lines 34-88 implement a logic that fetches a script list from the GitHub API and then uses curl to download and overwrite local files.
[COMMAND_EXECUTION] (MEDIUM): The skill dynamically modifies file permissions on the host system for downloaded content.
Evidence: lib.sh line 80: mv -f "$script_tmp" "$script" && chmod +x "$script".
[CREDENTIALS_UNSAFE] (MEDIUM): The skill attempts to extract sensitive API keys from the user's shell configuration files using potentially unsafe patterns.
Evidence: lib.sh lines 105-111 use eval "$(grep 'export LISTENHUB_API_KEY' ~/.zshrc)" which could lead to arbitrary command execution if the shell profile is tampered with.
[EXTERNAL_DOWNLOADS] (LOW): The skill connects to raw.githubusercontent.com and api.github.com to check for versions and download code updates.
[DATA_EXPOSURE] (LOW): The skill transmits user-provided content and URLs to an external API endpoint (api.marswave.ai).
[PROMPT_INJECTION] (LOW): Several scripts (create-podcast.sh, create-tts.sh) accept external URLs and text as input which are processed by a remote backend, creating an attack surface for indirect prompt injection.
Ingestion points: --source-url and --content parameters in multiple scripts.
Boundary markers: Absent; content is wrapped in JSON but not otherwise sanitized for LLM instruction injection.
Capability inventory: Execution of network requests (curl) and local shell commands.
Sanitization: Basic JSON encoding via jq is used, but no content-level sanitization is performed.

listenhub