Skills
skills/openclaw/skills/open-webui/Gen Agent Trust Hub

open-webui

Fail

Audited by Gen Agent Trust Hub on Feb 12, 2026

Risk Level: CRITICALDATA_EXFILTRATIONCOMMAND_EXECUTIONCREDENTIALS_UNSAFE
Full Analysis

================================================================================

🔴 VERDICT: CRITICAL

This skill poses a critical data exfiltration risk. The scripts/openwebui-cli.py script's upload_file function is designed to read any file specified by its file_path argument and send its content to the OPENWEBUI_URL. Since OPENWEBUI_URL is a user-controlled environment variable or command-line argument, a malicious actor could set this URL to their own server and then prompt the agent to upload sensitive files (e.g., ~/.aws/credentials, ~/.ssh/id_rsa). This would directly exfiltrate the content of those files. Furthermore, the OPENWEBUI_TOKEN is sent as a Bearer token in the Authorization header for all requests to the user-defined OPENWEBUI_URL, making it vulnerable to exfiltration if the URL is malicious.

Total Findings: 3

🔴 CRITICAL Findings: • Arbitrary File Read and Exfiltration

  • scripts/openwebui-cli.py:100 Evidence snippet: def upload_file(self, file_path: str, process: bool = True) -> dict: Reasoning: The upload_file function takes file_path as an argument. Inside this function, with open(path, "rb") as f: reads the content of the specified file. This content is then sent via requests.post to the OPENWEBUI_URL. As OPENWEBUI_URL is user-controlled, this allows for the exfiltration of any file accessible by the agent to an arbitrary external server. This is a direct and severe data exfiltration vector.

    • API Token Exfiltration to User-Controlled Endpoint

  • scripts/openwebui-cli.py:30 Evidence snippet: self.token = token or os.getenv("OPENWEBUI_TOKEN") Reasoning: The OPENWEBUI_TOKEN is retrieved from environment variables or arguments and then included in the Authorization header for all requests made to self.base_url. Since self.base_url (derived from OPENWEBUI_URL) is user-controlled, a malicious OPENWEBUI_URL would receive the agent's API token, leading to its exfiltration.

🔵 LOW Findings: • Unverifiable External Dependency (requests library)

  • scripts/openwebui-cli.py:14 Evidence snippet: import requests Reasoning: The script requires the requests Python library, which is an external dependency. While requests is a widely used and generally trusted library, it is still an external component that cannot be fully audited at analysis time. The script includes an ImportError check and suggests pip install requests.

================================================================================

Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
CRITICAL
Analyzed
Feb 12, 2026, 06:13 AM