ClawHub

Open WebUI

v1.0.0

Complete Open WebUI API integration for managing LLM models, chat completions, Ollama proxy operations, file uploads, knowledge bases (RAG), image generation, audio processing, and pipelines. Use this skill when interacting with Open WebUI instances via REST API - listing models, chatting with LLMs, uploading files for RAG, managing knowledge collections, or executing Ollama commands through the Open WebUI proxy. Requires OPENWEBUI_URL and OPENWEBUI_TOKEN environment variables or explicit parameters.

0· 1k·6 current·6 all-time
byTFM@0x7466
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name, SKILL.md, and the included Python CLI all align: they implement REST interactions (models, chat, files, knowledge, Ollama proxy) with an Open WebUI instance. However, the registry metadata claims 'Required env vars: none' while the SKILL.md and the CLI require OPENWEBUI_TOKEN (and usually OPENWEBUI_URL). This metadata mismatch is an incoherence.
Instruction Scope
Runtime instructions and the CLI stay within the stated scope: API calls to the provided Open WebUI URL, uploading files for RAG, managing knowledge collections, and Ollama operations. The skill will read local files when asked to upload them (expected for file upload features). There are explicit confirmations for destructive operations in the code and guidance in SKILL.md about redacting tokens and validating URLs.
Install Mechanism
This is an instruction-only skill with an included Python script. No install spec or external downloads are present. The script requires the 'requests' library (the script exits with an error if requests is missing). No extract/from-URL installs are used.
!
Credentials
The CLI requires a Bearer token (OPENWEBUI_TOKEN) and optionally OPENWEBUI_URL; that is proportionate to the functionality. The concern is that the skill registry metadata did not declare these required env vars—so the manifest underreports credentials needed. Also, any file you upload or text you send will be transmitted to whatever OPENWEBUI_URL you configure, so providing a token to an untrusted instance can lead to data exposure.
Persistence & Privilege
The skill does not request always:true, does not modify other skills or global agent settings, and does not request persistent system privileges. It runs as a CLI-style client and uses the provided token for requests only.
What to consider before installing
This skill appears to implement the Open WebUI API as described, but the registry metadata incorrectly omits that an API token (OPENWEBUI_TOKEN) is required — the included CLI will fail without it. Before installing: 1) Inspect the provided scripts locally (openwebui-cli.py is included) to verify behavior. 2) Only use an API token for an Open WebUI instance you trust; uploads and chat messages (and any file contents) are sent to the configured OPENWEBUI_URL and could expose sensitive data. 3) Confirm destructive actions (deleting models/collections) only after explicit prompts. 4) Note the script defines a token-redaction helper but review any output/logging to ensure full tokens are not printed. If the registry metadata were corrected to declare the required env vars, and you are confident in the target Open WebUI instance, this would be coherent; the current mismatch is why I rate it suspicious.

Like a lobster shell, security has layers — review code before you run it.

latestvk979azbh58r42zywkka3ejs7k580rvsj

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments