Back to skill
Skillv1.0.0
ClawScan security
ToneClone CLI · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 19, 2026, 4:57 PM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and instructions align with its stated purpose: it wraps the ToneClone CLI, uses Homebrew to install a third-party CLI, and does not request unrelated credentials or system access.
- Guidance
- This skill appears coherent and limited to invoking the ToneClone CLI. Before installing, verify the Homebrew tap/formula points to the official ToneClone project (check the project's GitHub link in the SKILL.md). Understand that using the skill will send content and any training data you provide to ToneClone's service — review their privacy/security docs. Note the CLI performs interactive authentication (tokens will be stored by the CLI); if you plan automated use, confirm how credentials are stored and whether you need a separate API token. If you want extra assurance, inspect the Homebrew formula and the linked GitHub repo for the CLI source before installing.
Review Dimensions
- Purpose & Capability
- okName/description (generate content in the user's voice) match the runtime instructions and required binary: the SKILL.md only invokes the toneclone CLI and points to ToneClone documentation and repos. Requiring the toneclone binary is appropriate.
- Instruction Scope
- okInstructions direct the agent to run toneclone commands (write, personas list, knowledge list, auth status). They do not instruct reading arbitrary files, environment variables, or sending data to unrelated endpoints. Authentication is interactive ('toneclone auth login'), which is consistent with a CLI client.
- Install Mechanism
- noteInstall uses a Homebrew tap/formula (toneclone/toneclone/toneclone), which is a common, low-risk distribution method. As a third-party tap, users should verify the tap's origin (official ToneClone repo or organization) before adding it.
- Credentials
- okNo environment variables or external credentials are declared. The CLI requires user authentication via 'toneclone auth login' (interactive); the skill does not request unrelated secrets or multiple service credentials.
- Persistence & Privilege
- okSkill does not request always:true, does not modify other skills or global agent settings, and is user-invocable only. It does not demand elevated or permanent presence.