open-webui-guide

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill clearly ingests untrusted third‑party content: SKILL.md and references/rag.md describe uploading/indexing external documents and web-search retrieval that are injected into model prompts, and references/pipelines.md + config.md allow registering arbitrary external HTTP pipeline endpoints (OPENAI_API_BASE_URLS) whose responses can modify requests/responses—creating a clear path for indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). Yes — the docs show Open WebUI calling external pipeline/model endpoints at runtime via OPENAI_API_BASE_URLS (e.g., http://pipeline-server:9099), and those pipeline servers can act as Filter/Model pipelines that modify requests or generate responses, thus directly controlling prompts and execution.