Ollama Proxy
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill’s proxy purpose is coherent, but it asks you to install and run an unauthenticated network Ollama proxy/node fleet that can route, log, and manage model requests without clear access-control boundaries in the provided artifacts.
Review this carefully before installing. Use it only on a trusted network, do not expose the proxy or dashboard to the internet, verify how nodes and clients are authenticated, and check what request data is stored in logs. Pin or inspect the PyPI package before running herd or herd-node.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any tool that can reach the proxy could potentially submit prompts, consume compute, or trigger model downloads/changes on the fleet.
The artifact advertises a network-accessible proxy that accepts the full Ollama API, including model-management actions, while the OpenAI-compatible example does not require an API key. The provided instructions do not show authorization or approval boundaries for those actions.
Every Ollama API endpoint works through the Ollama proxy ... api_key="not-needed" ... curl -N http://ollama-proxy:11435/api/pull -d '{"name": "codestral"}'Run it only on trusted networks, bind or firewall the service appropriately, and add authentication or explicit user approval for model-management endpoints where supported.
Prompt traffic, model workload routing, and fleet information could involve unintended machines if the discovery and network trust boundary are not controlled.
Proxy/node communication is described as automatic network discovery, but the provided artifact does not describe identity verification, allowed-node lists, or origin controls.
herd-node # discovers the Ollama proxy automatically on your network
Verify how discovery authenticates nodes and clients before use; restrict it to a trusted LAN, VPN, or explicit allowlist.
Sensitive prompts or usage metadata may remain in local trace/log files if request tracing includes payloads.
The proxy stores request traces/logs, which is expected for monitoring but may retain prompt, model, timing, or routing data depending on implementation.
| Request tracing | None | Ollama proxy logs to SQLite trace store |
Check what is logged, protect the ~/.fleet-manager data directory, and set retention or cleanup procedures for traces.
A compromised or unexpectedly changed package version would run with the user's local privileges.
The setup depends on external PyPI code that is not pinned in the instructions and is not included in the provided skill artifacts.
pip install ollama-herd # PyPI: https://pypi.org/project/ollama-herd/
Install from a trusted environment, pin or review the package version, and prefer a virtual environment or container.
The services may keep accepting and routing requests while they are running, consuming local compute and network resources.
The skill instructs users to run long-lived proxy and node processes across machines. This is disclosed and purpose-aligned, and no hidden persistence is shown.
herd # starts the Ollama proxy on port 11435 ... herd-node # discovers the Ollama proxy automatically on your network
Start them intentionally, monitor them, and stop or disable them when not needed.