Skillv1.0.3

ClawScan security

open-webui-api 操作技能 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 15, 2026, 6:27 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code matches its stated purpose (Open WebUI RAG upload/search/chat) but the manifest/instructions disagree about required environment variables and binaries and some runtime deps (curl, jq) are not declared — this inconsistency is a risk and should be clarified before installing.
Guidance: What to check before installing: - This skill appears to do what it says: talk to an Open WebUI instance, upload/list files, and query RAG. There is no sign of exfiltration to unknown endpoints in the code — network calls are only made to OPENWEBUI_URL. - Fix or confirm environment/dependency declarations: you must set OPENWEBUI_URL and OPENWEBUI_API_KEY (the skill will not work without them). Also ensure python3 and the requests package are installed. The bash wrapper uses curl and jq — install those (or avoid using the bash wrapper) or the script will fail. - The package metadata is inconsistent (some manifests claim no env vars, meta.json shows different version, requires.bins lists a Python package as a binary). Treat this as sloppy packaging rather than proof of malice, but ask the author to correct the manifests or run the code in a sandbox first. - Security hygiene: only point OPENWEBUI_URL at servers you trust (prefer local or LAN instances). Treat the API key like any JWT/secret: do not reuse a high-privilege token if you can create a scoped token. If unsure, run the scripts manually in a controlled environment to verify behavior before granting the skill to an autonomous agent. - If you want higher assurance, request the publisher to: (1) fix manifest (declare OPENWEBUI_API_KEY as primaryEnv), (2) declare required binaries (curl, jq, python3), and (3) provide a canonical install instruction or packaged release.

Review Dimensions

Purpose & Capability: concernThe scripts and SKILL.md clearly implement Open WebUI RAG actions and legitimately need OPENWEBUI_URL and OPENWEBUI_API_KEY. However registry-level metadata at the top of the package summary said 'Required env vars: none' while SKILL.md and _meta.json declare OPENWEBUI_URL and OPENWEBUI_API_KEY. The requires.bins entry lists ['python3','requests'] which is incoherent (requests is a Python package, not a binary). The bash script uses curl and jq but neither is declared as required. These mismatches mean the declared requirements do not reliably represent what the skill actually needs to operate.
Instruction Scope: noteThe SKILL.md and included scripts limit actions to contacting the Open WebUI endpoint, listing/uploading files, creating knowledge collections, and invoking chat/search endpoints. They require reading local files when uploading (expected). The instructions do not instruct the agent to read unrelated system files or exfiltrate data to other endpoints. Overall the runtime behavior stays within the stated purpose, but the README/SKILL.md instruct users to clone and set environment variables with explicit examples that point to local or LAN URLs.
Install Mechanism: noteThere is no high-risk download/install step: SKILL.md suggests installing the Python requests package (pip). The package includes shell and Python scripts (no remote install from arbitrary hosts). However the bundled metadata/install information is inconsistent (SKILL.md has a pip entry; registry said no install spec). Also the bash script depends on curl and jq (not installed by pip) — missing declared dependencies may lead to runtime failures or accidental behavior when fallback occurs.
Credentials: concernThe code legitimately needs OPENWEBUI_URL and OPENWEBUI_API_KEY (a single API credential) and no other secrets. But the package metadata presented in multiple places is inconsistent: some places list no required env vars, others list the two vars. The skill does not request unrelated credentials, which is good, but the inconsistent declaration (and missing primaryEnv setting) is a red flag that manifests were not maintained correctly and could confuse automated permission checks.
Persistence & Privilege: okThe skill is not always:true, is user-invocable, and does not request elevated/persistent system-wide privileges. It does not modify other skills or system configs. Autonomy (disable-model-invocation:false) is the platform default and is not, by itself, an additional concern here.