Back to skill
Skillv1.0.0
ClawScan security
Open WebUI · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousFeb 11, 2026, 9:26 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's code and runtime instructions match its stated purpose (interacting with an Open WebUI instance) but the registry metadata omits required environment variables and there are a few operational risks the user should understand before installing.
- Guidance
- This skill appears to implement the Open WebUI API as described, but the registry metadata incorrectly omits that an API token (OPENWEBUI_TOKEN) is required — the included CLI will fail without it. Before installing: 1) Inspect the provided scripts locally (openwebui-cli.py is included) to verify behavior. 2) Only use an API token for an Open WebUI instance you trust; uploads and chat messages (and any file contents) are sent to the configured OPENWEBUI_URL and could expose sensitive data. 3) Confirm destructive actions (deleting models/collections) only after explicit prompts. 4) Note the script defines a token-redaction helper but review any output/logging to ensure full tokens are not printed. If the registry metadata were corrected to declare the required env vars, and you are confident in the target Open WebUI instance, this would be coherent; the current mismatch is why I rate it suspicious.
Review Dimensions
- Purpose & Capability
- noteThe name, SKILL.md, and the included Python CLI all align: they implement REST interactions (models, chat, files, knowledge, Ollama proxy) with an Open WebUI instance. However, the registry metadata claims 'Required env vars: none' while the SKILL.md and the CLI require OPENWEBUI_TOKEN (and usually OPENWEBUI_URL). This metadata mismatch is an incoherence.
- Instruction Scope
- okRuntime instructions and the CLI stay within the stated scope: API calls to the provided Open WebUI URL, uploading files for RAG, managing knowledge collections, and Ollama operations. The skill will read local files when asked to upload them (expected for file upload features). There are explicit confirmations for destructive operations in the code and guidance in SKILL.md about redacting tokens and validating URLs.
- Install Mechanism
- okThis is an instruction-only skill with an included Python script. No install spec or external downloads are present. The script requires the 'requests' library (the script exits with an error if requests is missing). No extract/from-URL installs are used.
- Credentials
- concernThe CLI requires a Bearer token (OPENWEBUI_TOKEN) and optionally OPENWEBUI_URL; that is proportionate to the functionality. The concern is that the skill registry metadata did not declare these required env vars—so the manifest underreports credentials needed. Also, any file you upload or text you send will be transmitted to whatever OPENWEBUI_URL you configure, so providing a token to an untrusted instance can lead to data exposure.
- Persistence & Privilege
- okThe skill does not request always:true, does not modify other skills or global agent settings, and does not request persistent system privileges. It runs as a CLI-style client and uses the provided token for requests only.