Is 0x7466/open-webui safe?

https://github.com/openclaw/skills/tree/main/skills/0x7466/open-webui

86
SAFE

This is a legitimate Open WebUI API client skill with transparent Python code and clean installation behavior. The primary risk surface is its file upload capability, which could be misused to exfiltrate data if OPENWEBUI_URL is pointed at a malicious server or if the agent is socially engineered into uploading sensitive files. No prompt injection, canary tampering, or suspicious clone-time behavior was detected.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 75/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 96/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 80/100 · 5%

Findings (8)

MEDIUM Arbitrary file upload to user-configured URL -15

The upload_file method in openwebui-cli.py reads any file path provided as argument and POSTs it to OPENWEBUI_URL. While this is the intended RAG functionality, it creates an exfiltration vector if the URL points to a malicious server or if the agent is tricked into uploading sensitive files.

MEDIUM No strict validation of OPENWEBUI_URL destination -10

The base URL is accepted from environment variable or CLI argument with only a localhost check for SSL verification purposes. No allowlist, domain validation, or warning for non-localhost URLs. An attacker who controls the environment variable could redirect all API traffic.

LOW SSL verification disabled for localhost connections -5

When connecting to localhost or 127.0.0.1, SSL certificate verification is disabled and urllib3 InsecureRequestWarning is suppressed. While common for local development, this reduces security for local connections.

LOW Broad activation scope with many API operations -10

The skill covers a wide range of operations (chat, file upload, knowledge management, model pulling/deletion, image generation, audio processing) giving the agent significant capabilities when activated. Each operation is legitimate but the combined surface area is large.

LOW Python script executed on user's system -10

The skill requires executing openwebui-cli.py via python3, which is a ~350-line script. The code is transparent and benign, using only standard library + requests, with no dynamic code generation or shell commands.

LOW Destructive model and knowledge operations available -10

The skill exposes model deletion (ollama delete) and knowledge collection management. The CLI tool includes confirmation prompts for destructive actions, but the SKILL.md also instructs the agent to perform these operations on request.

INFO Lock file references unrelated skill -5

The .clawhub/lock.json references 'academic-research-hub' as an installed skill. This appears to be residual metadata from the build/template system and has no functional impact.

INFO Clean installation with expected network activity only -4

All network traffic during install is attributable to GitHub (git clone), Ubuntu system services, and local DNS/mDNS. No unexpected outbound connections detected. No firewall blocks recorded.