← Back to Skills Marketplace
pauldelavallaz

Picasso TikTok

by Paul de Lavallaz · GitHub ↗ · v1.2.0 · MIT-0
cross-platform ⚠ suspicious
304
Downloads
0
Stars
1
Active Installs
1
Versions
Install in OpenClaw
/install picasso-tiktok
Description
Full TikTok/Reels video pipeline: script → TTS voiceover (ElevenLabs) → HeyGen talking avatar → auto-subtitles (Whisper) → ffmpeg compose → 1080x1920 final v...
Usage Guidance
Summary of what to consider before installing: - Metadata mismatch: the registry says no env vars, but SKILL.md requires many API keys. Ask the publisher to correct the metadata and explain why each credential is needed. - Sensitive keys: supply only throwaway/test API keys or scoped tokens (least privilege). Do not provide high-value production keys (OpenAI, Replicate, ElevenLabs, HeyGen) until you trust the author. - Third‑party uploads: the pipeline uploads audio to uguu.se — this exposes your audio to an external host. If that is unacceptable, modify the workflow to use your own storage endpoint. - Filesystem writes & absolute paths: the guide writes cache to /home/ubuntu/... and reads ~/.openclaw; run the skill in an isolated container or dedicated VM and inspect files it creates. - Undeclared env vars in examples (Cartesia, CARTESIA_VOICE_ID) mean the instructions may call additional services; request a complete list of env vars and endpoints. - Human approvals are required by the SKILL.md — maintain that manual review step and do not permit fully autonomous runs until you vet behavior. Recommended actions: run in a sandbox, review and edit SKILL.md to remove unwanted uploads/paths, ask author for corrected metadata and a minimal set of required credentials, and test with non-production API keys.
Capability Analysis
Type: OpenClaw Skill Name: picasso-tiktok Version: 1.2.0 The skill bundle automates a complex TikTok video production pipeline using multiple external APIs (ElevenLabs, HeyGen, OpenAI, Replicate) and system tools like ffmpeg and yt-dlp. It exhibits high-risk behaviors including arbitrary shell command execution for video processing and downloading content from external URLs. Notably, the code in SKILL.md includes logic to upload generated audio files to 'uguu.se', an anonymous third-party file-sharing service, to facilitate HeyGen integration. While these capabilities are plausibly required for the stated purpose, the combination of broad shell access and the exfiltration of media to an unauthenticated public host warrants a suspicious classification.
Capability Assessment
Purpose & Capability
The skill's declared registry metadata lists no required env vars or config paths, but SKILL.md explicitly requires ELEVENLABS_API_KEY, ELEVENLABS_VOICE_ID, HEYGEN_API_KEY, YOUR_HEYGEN_AVATAR_ID, OPENAI_API_KEY, REPLICATE_API_TOKEN and system tools (ffmpeg, yt-dlp, Python). Requiring ElevenLabs/HeyGen keys is coherent with TTS/avatar generation, and OpenAI/Replicate could be plausible for Whisper/Runway integration — but the metadata vs instructions mismatch is an incoherence and a poor signal about the publisher's care. The presence of additional service mentions (Cartesia backup, uguu.se upload) increases required capabilities beyond what's stated.
Instruction Scope
Instructions instruct the agent to download videos (gdown, yt-dlp), read Telegram inbound files at ~/.openclaw/media/inbound/, write cache to an absolute path (/home/ubuntu/clawd/...), upload audio to a public file host (uguu.se), call multiple external APIs, and require manual human approval at several steps. Uploading intermediate audio to a third-party file host and writing to absolute filesystem locations are data‑exfiltration and environment assumptions the registry did not disclose. The SKILL.md also references additional env vars (e.g., CARTESIA_API_KEY) not listed in the top 'Required env vars' header, indicating inconsistency between instructions and declared requirements.
Install Mechanism
There is no install spec and no code files — this is instruction-only, which reduces risk from unexpected installers or archived downloads. However, being instruction-only means the agent will perform network calls and local file writes as described; absence of an install spec does not eliminate the concerns in instruction scope and environment access.
Credentials
The SKILL.md expects multiple credentials (ElevenLabs, HeyGen, OpenAI, Replicate) and also references other keys (Cartesia) inside examples. The registry metadata lists none — so the skill is asking for broad, sensitive credentials that were not declared. These credentials are plausible for the stated pipeline, but the mismatch, the number of credentials, and the presence of additional undocumented env vars are disproportionate and should be justified by the publisher.
Persistence & Privilege
The skill does not request always:true and does not declare privileged modifications to other skills. However, the instructions assume write access to filesystem locations (explicit cache path under /home/ubuntu and references to ~/.openclaw), which presumes filesystem permissions and persistence of intermediate files. This is not inherently malicious but should be considered when deciding where to run the skill (use isolated environment).
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install picasso-tiktok
  3. After installation, invoke the skill by name or use /picasso-tiktok
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.2.0
v1.2: ElevenLabs 3-variation flow, Runway Gen-4.5 B-roll, image-to-video con Nano Banana Pro + animación con Gen-4.5, layouts avanzados, correcciones de Whisper para voseo rioplatense, checklist completo
Metadata
Slug picasso-tiktok
Version 1.2.0
License MIT-0
All-time Installs 1
Active Installs 1
Total Versions 1
Frequently Asked Questions

What is Picasso TikTok?

Full TikTok/Reels video pipeline: script → TTS voiceover (ElevenLabs) → HeyGen talking avatar → auto-subtitles (Whisper) → ffmpeg compose → 1080x1920 final v... It is an AI Agent Skill for Claude Code / OpenClaw, with 304 downloads so far.

How do I install Picasso TikTok?

Run "/install picasso-tiktok" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Picasso TikTok free?

Yes, Picasso TikTok is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Picasso TikTok support?

Picasso TikTok is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Picasso TikTok?

It is built and maintained by Paul de Lavallaz (@pauldelavallaz); the current version is v1.2.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463815 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259802 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200680 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191345 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190333 · by oswalpalash

💬 Comments