Picasso TikTok
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a coherent video-production workflow, but it relies on external media services, API keys, local tools, and a public audio upload step that users should review before use.
Before installing, confirm you are comfortable providing the listed API keys, installing the needed media tools, and uploading generated voiceover audio to external services. Do not use sensitive or confidential scripts unless the provider and file-hosting data flows are acceptable.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill may spend credits or create assets in the user's ElevenLabs, HeyGen, OpenAI, or Replicate accounts.
The workflow requires multiple provider credentials. These are aligned with the stated media-generation purpose, but users should understand the account access and billing implications, especially because the registry metadata lists no required env vars.
Required env vars: ELEVENLABS_API_KEY, ELEVENLABS_VOICE_ID, HEYGEN_API_KEY, YOUR_HEYGEN_AVATAR_ID, OPENAI_API_KEY, REPLICATE_API_TOKEN
Use least-privileged project-specific keys where possible, monitor provider usage, and ensure the registry credential declarations are updated.
Voiceover content could leave the local environment and become accessible through an external hosted URL before the final video is produced.
The generated audio is uploaded to a third-party file host to obtain a URL for HeyGen. This is disclosed and purpose-aligned, but it is an additional external data flow with unclear retention or access controls.
Subir audio a uguu.se (requerido por HeyGen) ... requests.post("https://uguu.se/upload", files={"files[]": ("audio.mp3", f.read(), "audio/mpeg")}, timeout=30)Avoid using confidential scripts or unreleased content unless this upload path is acceptable; prefer controlled storage or signed URLs if available.
The user or agent may need to install and run local media/download tools, which can affect the local environment if sourced insecurely.
The skill depends on local tools and an unpinned pip-installed package, while the install specification declares no required binaries. This is normal for a media pipeline but leaves tool provenance to the user.
pip install gdown -q ... Required system tools: ffmpeg, yt-dlp, Python 3
Install ffmpeg, yt-dlp, Python packages, and related tools from trusted sources, consider pinning versions, and document them in the skill metadata.