overthinkos/openwebui
ov-layers/skills/openwebui/SKILL.md
Open WebUI with auto-configured LLM providers, MCP servers, and Jupyter code execution. MUST be invoked before any work involving: the openwebui layer, Open WebUI configuration, LLM provider auto-detection, or MCP server discovery for Open WebUI.
tools
Updated Apr 24, 2026
$ install --global
skillsauthnpx skillsauth add overthinkos/overthink-plugins openwebuiInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 24, 2026, 3:02 PM110.9s1 file scanned
SKILL.md
- name:
- openwebui
- description:
- |
- MUST be invoked before any work involving:
- the openwebui layer, Open WebUI configuration,
openwebui -- Open WebUI with auto-configuration
Layer Properties
| Property | Value |
|----------|-------|
| Dependencies | python, supervisord |
| Volumes | data -> /opt/data |
| Ports | 8080 |
| Aliases | open-webui -> open-webui |
| Services | openwebui (supervisord, autostart) |
| Install files | pixi.toml, tasks:, openwebui-entrypoint |
Environment Variables
| Variable | Value |
|----------|-------|
| DATA_DIR | /opt/data |
| PORT | 8080 |
| DOCKER | true |
| ENABLE_DIRECT_CONNECTIONS | true |
| ENABLE_CODE_EXECUTION | true |
| ENABLE_PERSISTENT_CONFIG | false |
Optional Environment Variables (env_accepts)
| Variable | Description |
|----------|-------------|
| OPENROUTER_API_KEY | API key for OpenRouter (maps to OPENAI_API_KEY with OpenRouter base URL) |
| OLLAMA_API_KEY | API key for Ollama Cloud inference |
| OLLAMA_HOST | Local Ollama server URL (auto-injected by ollama layer env_provides) |
| OPENAI_API_KEY | Direct OpenAI API key |
| OPENAI_API_BASE_URL | OpenAI-compatible API base URL |
| WEBUI_AUTH | Enable authentication (default: true) |
| WEBUI_ADMIN_EMAIL | Admin account email for first-start setup |
| OV_MCP_SERVERS | JSON array of MCP servers (auto-injected by mcp_provides layers) |
MCP Accepts
| Name | Description |
|------|-------------|
| jupyter | JupyterLab CRDT MCP server for notebook manipulation |
| chrome-devtools | Chrome DevTools MCP server for browser automation |
Secrets (Two-Tier Architecture)
Tier 1: Infrastructure secrets (podman secrets via secrets: field)
Auto-generated by ov config, stored in credential store (keyring/kdbx):
| Secret | Env Fallback | Purpose |
|--------|-------------|---------|
| webui-secret-key | WEBUI_SECRET_KEY | JWT + encryption key (CRITICAL: losing it breaks all sessions and OAuth tokens) |
| admin-password | WEBUI_ADMIN_PASSWORD | Admin account password |
Provisioned as Secret=ov-openwebui-<name>,type=env,target=<ENV> in the quadlet. The entrypoint checks env vars first (from type=env injection), then file mounts at /run/secrets/ as fallback.
Tier 2: User API keys (GPG-encrypted .secrets file)
User-provided API keys stored via ov secrets gpg:
ov secrets gpg set OPENROUTER_API_KEY sk-or-xxx
ov config openwebui --env-file .secrets # Decrypts + injects at config time
Auto-Configuration Entrypoint
The openwebui-entrypoint runs on EVERY start (no sentinel — ENABLE_PERSISTENT_CONFIG=false means env vars always override database config):
- Reads secrets from env vars (podman
type=env) or/run/secrets/file mounts - LLM provider detection:
OLLAMA_HOST->OLLAMA_BASE_URL(Ollama server)OPENROUTER_API_KEY->OPENAI_API_KEY+OPENAI_API_BASE_URL=https://openrouter.ai/api/v1OLLAMA_API_KEY->OPENAI_API_KEY+OPENAI_API_BASE_URL=https://api.ollama.com/v1
- MCP server discovery from
OV_MCP_SERVERSJSON -> buildsTOOL_SERVER_CONNECTIONSJSON for Open WebUI - Jupyter detection — if a jupyter MCP server URL is found, sets
CODE_EXECUTION_ENGINE=jupyter - Execs
open-webui serve
TOOL_SERVER_CONNECTIONS Format
The entrypoint translates ov's OV_MCP_SERVERS format into Open WebUI's expected TOOL_SERVER_CONNECTIONS JSON:
[{
"type": "mcp",
"url": "http://ov-jupyter:8888/mcp",
"spec_type": "url", "spec": "", "path": "",
"auth_type": "", "key": "",
"config": {"enable": true},
"info": {"id": "", "name": "jupyter", "description": "MCP: jupyter"}
}]
Key fields: type must be "mcp" (not "openapi"), config.enable must be true.
Key Design Choice: ENABLE_PERSISTENT_CONFIG=false
This is the critical architectural decision. Without it, Open WebUI's database config overrides environment variables after the first admin-panel save. With it disabled, env vars ALWAYS win — so the entrypoint's dynamic configuration (LLM providers, MCP servers, Jupyter) works reliably on every restart. No sentinel-guarded config patching needed (unlike hermes).
Important: No port_relay Needed
Open WebUI binds to 0.0.0.0:8080 by default. The port_relay field is only for services that bind to 127.0.0.1 (like Chrome DevTools on port 9222). Using port_relay with Open WebUI causes a socat/Open WebUI port conflict on eth0.
Build Notes
- pixi.toml uses
[pypi-dependencies](NOT[feature.default.pypi-dependencies]— thedefaultfeature is reserved in pixi) - Open WebUI is installed via
pip install open-webuiin the pixi environment (~500MB+ of dependencies) - First startup takes ~30 seconds (Alembic DB migrations, model loading). supervisord
autorestart=truehandles transient failures.
Usage
# image.yml
openwebui:
base: fedora
layers:
- agent-forwarding
- openwebui
- dbus
- ov
ports:
- "8080:8080"
Related Layers
/ov-layers:python-- Python runtime dependency/ov-layers:supervisord-- process manager dependency/ov-layers:hermes-- alternative AI agent with similar MCP/LLM auto-config pattern
Related Commands
/ov:config--ov config openwebui --update-allfor service discovery/ov:secrets--ov secretsfor kdbx/keyring credential management/ov:service--ov service status openwebuifor runtime management/ov:mcp-- probe the MCP servers openwebui consumes (auto-configured intoTOOL_SERVER_CONNECTIONSfromOV_MCP_SERVERS):ov test mcp list-tools <provider-image>shows what tools openwebui will see, andov test mcp pingverifies liveness before debugging openwebui itself.
Related Images
/ov-images:openwebui-- the deployed image/ov-images:jupyter-- deploy alongside for MCP notebook access and code execution/ov-images:ollama-- deploy alongside for local LLM inference/ov-images:hermes-- alternative AI frontend (CLI-based agent vs web UI)
When to Use This Skill
MUST be invoked when the task involves the openwebui layer, Open WebUI configuration, LLM provider auto-detection, MCP server discovery for Open WebUI, or the openwebui entrypoint. Invoke this skill BEFORE reading source code or launching Explore agents.
Related
/ov:layer— layer authoring reference (layer.ymlschema, task verbs, service declarations)/ov:test— declarative testing (tests:block,ov image test,ov test)
Related Skills
overthinkos/agents
development
VerifiedTrustedCommunity
Claude Code multi-agent support in Overthink — sub-agents, dynamic workflows, and agent teams, and how each drives the existing `ov eval` disposable beds to test and verify. MUST be invoked before authoring or invoking an ov sub-agent / dynamic workflow / agent team, wiring agent-lifecycle hooks, or asking "which primitive should drive the R10 beds?".
SKILL.mdUpdated May 31, 2026
overthinkos/workspace-mount
tools
VerifiedTrustedCommunity
Mounts a virtiofs share tagged `workspace` at /workspace inside a VM guest via a systemd .mount unit. Use when a kind:vm entity shares a host directory into the guest and you need it auto-mounted (and re-mounted at every boot).
SKILL.mdUpdated May 30, 2026
overthinkos/android
development
VerifiedTrustedCommunity
MUST be invoked before any work involving: the `kind: android` schema kind, a `target: android` deploy, the `apk:` layer package format (installing Android apps declaratively), AndroidDeployTarget, an in-pod emulator OR a remote/physical adb-endpoint device, or nested `pod → android` deployment. The first-class Android device + app surface that sits above `ov eval adb`/`appium`.
SKILL.mdUpdated May 26, 2026
overthinkos/git-workflow
tools
VerifiedTrustedCommunity
Use when committing, branching, pushing, merging, tagging, creating PRs, or approving/merging PRs with gh — the feat/-branch, R10-gated, never-force-push landing workflow across the main repo + the plugins submodule + image/<distro> submodules. Covers sync-to-upstream, branch/worktree pruning, the fork+PR path for contributors without write access, and cross-repo @github landing order.
SKILL.mdUpdated May 25, 2026