Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

overthinkos/openwebui

Name: openwebui
Author: overthinkos

ov-openwebui/skills/openwebui/SKILL.md

npx skillsauth add overthinkos/overthink-plugins openwebui

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

Image: openwebui

Open WebUI with auto-configured LLM providers (Ollama, OpenRouter), MCP server discovery, and Jupyter code execution. No manual setup needed — secrets auto-managed via ov secrets.

Definition

openwebui:
  base: fedora
  layers:
    - agent-forwarding
    - openwebui
    - dbus
    - ov
  ports:
    - "8080:8080"

Layer Stack

| Layer | Purpose | |-------|---------| | agent-forwarding | SSH + GPG agent forwarding into container | | openwebui | Open WebUI with auto-config entrypoint | | dbus | D-Bus session bus | | ov | Overthink CLI for in-container management |

Quick Start

ov image build openwebui
ov config openwebui -e OPENROUTER_API_KEY=sk-or-xxx
ov start openwebui
# Open http://localhost:8080

Deployment Patterns

Standalone with GPG secrets (recommended)

ov secrets gpg setup
ov secrets gpg set OPENROUTER_API_KEY sk-or-xxx
ov image build openwebui
ov config openwebui --env-file .secrets
ov start openwebui

With local Ollama

ov config ollama
ov config openwebui --env-file .secrets --update-all
ov start ollama openwebui

Full workstation (Ollama + Jupyter + Browser)

ov config ollama
ov config jupyter --update-all
ov config selkies-desktop --update-all
ov config openwebui --env-file .secrets --update-all
ov start ollama jupyter selkies-desktop openwebui

Secrets Management

# Tier 1: Auto-generated infrastructure secrets
ov secrets list ov/openwebui
ov secrets get ov/openwebui webui-secret-key
ov secrets set ov/openwebui admin-password --generate

# Tier 2: User API keys (GPG-encrypted)
ov secrets gpg set OPENROUTER_API_KEY sk-or-new-key
ov secrets gpg show
ov config openwebui --env-file .secrets --update-all

Cross-Container Service Discovery

Deploy alongside provider containers for full functionality:

# 1. Deploy ollama (provides OLLAMA_HOST)
ov config ollama
ov start ollama

# 2. Deploy jupyter (provides jupyter MCP server)
ov config jupyter --update-all
ov start jupyter

# 3. Deploy openwebui (consumes both)
ov config openwebui --env-file .secrets --update-all
ov start openwebui

Open WebUI receives:

OLLAMA_BASE_URL=http://ov-ollama:11434 — local LLM inference
TOOL_SERVER_CONNECTIONS=[...] — MCP servers (jupyter + chrome-devtools)
CODE_EXECUTION_ENGINE=jupyter — code execution via Jupyter

Key Layers

/ov-openwebui:openwebui — Auto-config entrypoint, secrets, env_accepts, TOOL_SERVER_CONNECTIONS format
/ov-foundation:agent-forwarding — SSH/GPG forwarding

Related Images

/ov-jupyter:jupyter — deploy alongside for MCP notebooks and code execution
/ov-ollama:ollama — deploy alongside for local LLM inference
/ov-hermes:hermes — alternative AI frontend (CLI agent vs web UI)
/ov-selkies:selkies-desktop — deploy alongside for shared Chrome browser

Verification

ov status openwebui
ov service status openwebui                    # openwebui: RUNNING
curl -s -o /dev/null -w '%{http_code}' http://localhost:8080   # 200
ov shell openwebui -c "open-webui version"

# Verify secrets
podman secret ls | grep openwebui              # webui-secret-key, admin-password

# Verify MCP (inside container process)
podman exec ov-openwebui cat /proc/3/environ | tr '\0' '\n' | grep TOOL_SERVER_CONNECTIONS

Test Coverage

Latest ov eval live openwebui run: 24 passed, 0 failed, 0 skipped. Covers: openwebui entrypoint script presence, pixi python + ov binary, and deploy-scope: service up, port reachable on 127.0.0.1:${HOST_PORT:8080}, HTTP 200 on / (30-second timeout for first-request startup), admin email env var injected. See /ov-build:eval for the framework.

Related Skills

/ov-openwebui:openwebui — layer authoring
/ov-build:eval — declarative testing framework
/ov-build:secrets — WEBUI_ADMIN_PASSWORD + provider API keys
/ov-core:config — -e WEBUI_ADMIN_EMAIL=... deploy-time env setup

When to Use This Skill

MUST be invoked before building, deploying, configuring, or troubleshooting the openwebui image.

/ov-build:image — image family umbrella (image: entries in overthink.yml, build/validate/inspect/list)
/ov-build:build — build.yml vocabulary (distros, builders, init-systems)

overthinkos/openwebui

ov-openwebui/skills/openwebui/SKILL.md

Open WebUI image with auto-configured LLM providers, MCP servers, and Jupyter on port 8080. MUST be invoked before building, deploying, configuring, or troubleshooting the openwebui image.

tools

Updated May 6, 2026

$ install --global

skillsauth

npx skillsauth add overthinkos/overthink-plugins openwebui

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: May 6, 2026, 6:58 AM195.8s1 file scanned

SKILL.md

name:: openwebui
description:: |

Image: openwebui

Open WebUI with auto-configured LLM providers (Ollama, OpenRouter), MCP server discovery, and Jupyter code execution. No manual setup needed — secrets auto-managed via ov secrets.

Definition

openwebui:
  base: fedora
  layers:
    - agent-forwarding
    - openwebui
    - dbus
    - ov
  ports:
    - "8080:8080"

Layer Stack

Quick Start

ov image build openwebui
ov config openwebui -e OPENROUTER_API_KEY=sk-or-xxx
ov start openwebui
# Open http://localhost:8080

Deployment Patterns

Standalone with GPG secrets (recommended)

ov secrets gpg setup
ov secrets gpg set OPENROUTER_API_KEY sk-or-xxx
ov image build openwebui
ov config openwebui --env-file .secrets
ov start openwebui

With local Ollama

ov config ollama
ov config openwebui --env-file .secrets --update-all
ov start ollama openwebui

Full workstation (Ollama + Jupyter + Browser)

ov config ollama
ov config jupyter --update-all
ov config selkies-desktop --update-all
ov config openwebui --env-file .secrets --update-all
ov start ollama jupyter selkies-desktop openwebui

Secrets Management

# Tier 1: Auto-generated infrastructure secrets
ov secrets list ov/openwebui
ov secrets get ov/openwebui webui-secret-key
ov secrets set ov/openwebui admin-password --generate

# Tier 2: User API keys (GPG-encrypted)
ov secrets gpg set OPENROUTER_API_KEY sk-or-new-key
ov secrets gpg show
ov config openwebui --env-file .secrets --update-all

Cross-Container Service Discovery

Deploy alongside provider containers for full functionality:

# 1. Deploy ollama (provides OLLAMA_HOST)
ov config ollama
ov start ollama

# 2. Deploy jupyter (provides jupyter MCP server)
ov config jupyter --update-all
ov start jupyter

# 3. Deploy openwebui (consumes both)
ov config openwebui --env-file .secrets --update-all
ov start openwebui

Open WebUI receives:

OLLAMA_BASE_URL=http://ov-ollama:11434 — local LLM inference
TOOL_SERVER_CONNECTIONS=[...] — MCP servers (jupyter + chrome-devtools)
CODE_EXECUTION_ENGINE=jupyter — code execution via Jupyter

Key Layers

/ov-openwebui:openwebui — Auto-config entrypoint, secrets, env_accepts, TOOL_SERVER_CONNECTIONS format
/ov-foundation:agent-forwarding — SSH/GPG forwarding

Related Images

/ov-jupyter:jupyter — deploy alongside for MCP notebooks and code execution
/ov-ollama:ollama — deploy alongside for local LLM inference
/ov-hermes:hermes — alternative AI frontend (CLI agent vs web UI)
/ov-selkies:selkies-desktop — deploy alongside for shared Chrome browser

Verification

ov status openwebui
ov service status openwebui                    # openwebui: RUNNING
curl -s -o /dev/null -w '%{http_code}' http://localhost:8080   # 200
ov shell openwebui -c "open-webui version"

# Verify secrets
podman secret ls | grep openwebui              # webui-secret-key, admin-password

# Verify MCP (inside container process)
podman exec ov-openwebui cat /proc/3/environ | tr '\0' '\n' | grep TOOL_SERVER_CONNECTIONS

Test Coverage

Related Skills

/ov-openwebui:openwebui — layer authoring
/ov-build:eval — declarative testing framework
/ov-build:secrets — WEBUI_ADMIN_PASSWORD + provider API keys
/ov-core:config — -e WEBUI_ADMIN_EMAIL=... deploy-time env setup

When to Use This Skill

MUST be invoked before building, deploying, configuring, or troubleshooting the openwebui image.

/ov-build:image — image family umbrella (image: entries in overthink.yml, build/validate/inspect/list)
/ov-build:build — build.yml vocabulary (distros, builders, init-systems)

Related Skills

overthinkos/charly

tools

VerifiedTrustedCommunity

OpenCharly CLI (charly) binary installed into container/VM images for in-container use. Use when working with charly binary deployment inside containers, native D-Bus support, or the full charly toolchain (charly binary + virtualization + gocryptfs + socat).

SKILL.mdUpdated Jun 10, 2026

overthinkos/charly-cachyos

development

VerifiedTrustedCommunity

Operator CachyOS workstation profile — a kind:local template + target:local deploy that installs the full dev stack (30 candies) onto a CachyOS host via ShellExecutor. Lives in the overthinkos/cachyos submodule. MUST be invoked before editing or applying the charly-cachyos workstation profile.

SKILL.mdUpdated Jun 10, 2026

overthinkos/charly-cachyos

overthinkos/charly-fedora

tools

VerifiedTrustedCommunity

Fedora box with the full charly toolchain using shared candies. Rootless-first — runs as uid=1000 with passwordless sudo (no root, no cap_add: ALL). Same candy list as charly-arch. Includes NVIDIA GPU runtime. MUST be invoked before building, deploying, configuring, or troubleshooting the charly-fedora box.

SKILL.mdUpdated Jun 10, 2026

overthinkos/charly-fedora

overthinkos/charly-arch

tools

VerifiedTrustedCommunity

Arch Linux box with the full charly toolchain. Rootless-first — runs as uid=1000 with passwordless sudo (no root, no cap_add: ALL). Composes /charly-coder:charly-mcp so the box is reachable as an MCP gateway on port 18765. NVIDIA GPU runtime composed in. MUST be invoked before building, deploying, configuring, or troubleshooting the charly-arch box.

SKILL.mdUpdated Jun 10, 2026

overthinkos/charly-arch

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/overthinkos/overthink-plugins.git

# Copy into Claude Code skills folder (global)
cp -r overthink-plugins/ov-openwebui/skills/openwebui ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

overthinkos/overthink-plugins

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT