Trust Assessment
open-webui received a trust score of 51/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 0 critical, 3 high, 1 medium, and 0 low severity. Key findings include Suspicious import: requests, Potential data exfiltration: file read + network send, Arbitrary File Upload via Skill Implementation.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Potential data exfiltration: file read + network send Function 'upload_file' reads files and sends data over the network. This may indicate data exfiltration. Review this function to ensure file contents are not being sent to external servers. | Static | skills/0x7466/open-webui/scripts/openwebui-cli.py:129 | |
| HIGH | Arbitrary File Upload via Skill Implementation The `upload_file` function in `scripts/openwebui-cli.py` directly uses the `file_path` argument to open and upload files without validating if the path is within a designated safe workspace or prompting for user confirmation if it's an absolute path outside the workspace. This directly contradicts the skill's own safety instruction in `SKILL.md` ('Confirm before accessing files outside workspace'). An attacker could exploit this by providing an arbitrary file path (e.g., `/etc/passwd`, `/root/.ssh/id_rsa`) to exfiltrate sensitive data from the agent's host system by uploading it to the Open WebUI instance. Implement robust path validation within the `upload_file` function to ensure `file_path` is restricted to a designated safe directory (e.g., a temporary workspace). Alternatively, the agent calling this function must implement explicit user confirmation for any file paths that are absolute or point outside the defined workspace. | LLM | scripts/openwebui-cli.py:99 | |
| HIGH | Arbitrary File Write via Skill Implementation The `download_file` function in `scripts/openwebui-cli.py` directly uses the `output_path` argument to write downloaded content without validating if the path is within a designated safe workspace or prompting for user confirmation if it's an absolute path outside the workspace. This violates the implicit safety boundary set by the skill's rubric ('Confirm before accessing files outside workspace'). An attacker could provide a malicious `output_path` (e.g., `/etc/crontab`, `/tmp/malicious_script.sh`) to overwrite arbitrary system files, potentially leading to command injection or data corruption. Implement robust path validation within the `download_file` function to ensure `output_path` is restricted to a designated safe directory (e.g., a temporary workspace). Alternatively, the agent calling this function must implement explicit user confirmation for any file paths that are absolute or point outside the defined workspace. | LLM | scripts/openwebui-cli.py:150 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/0x7466/open-webui/scripts/openwebui-cli.py:25 |
Scan History
Embed Code
[](https://skillshield.io/report/e8e8bac7d124b82e)
Powered by SkillShield