Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

overthinkos/openwebui

Name: openwebui
Author: overthinkos

openwebui/skills/openwebui/SKILL.md

npx skillsauth add overthinkos/overthink-plugins openwebui

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

Box: openwebui

Open WebUI with auto-configured LLM providers (Ollama, OpenRouter), MCP server discovery, and Jupyter code execution. No manual setup needed — secrets auto-managed via charly secrets.

Definition

openwebui:
  base: fedora
  candy:
    - agent-forwarding
    - openwebui
    - dbus
    - charly
  ports:
    - "8080:8080"

Candy Stack

| Candy | Purpose | |-------|---------| | agent-forwarding | SSH + GPG agent forwarding into container | | openwebui | Open WebUI with auto-config entrypoint | | dbus | D-Bus session bus | | charly | OpenCharly CLI for in-container management |

Quick Start

charly box build openwebui
charly config openwebui -e OPENROUTER_API_KEY=sk-or-xxx
charly start openwebui
# Open http://localhost:8080

Deployment Patterns

Standalone with GPG secrets (recommended)

charly secrets gpg setup
charly secrets gpg set OPENROUTER_API_KEY sk-or-xxx
charly box build openwebui
charly config openwebui --env-file .secrets
charly start openwebui

With local Ollama

charly config ollama
charly config openwebui --env-file .secrets --update-all
charly start ollama openwebui

Full workstation (Ollama + Jupyter + Browser)

charly config ollama
charly config jupyter --update-all
charly config selkies-desktop --update-all
charly config openwebui --env-file .secrets --update-all
charly start ollama jupyter selkies-desktop openwebui

Secrets Management

# Tier 1: Auto-generated infrastructure secrets
charly secrets list charly/openwebui
charly secrets get charly/openwebui webui-secret-key
charly secrets set charly/openwebui admin-password --generate

# Tier 2: User API keys (GPG-encrypted)
charly secrets gpg set OPENROUTER_API_KEY sk-or-new-key
charly secrets gpg show
charly config openwebui --env-file .secrets --update-all

Cross-Container Service Discovery

Deploy alongside provider containers for full functionality:

# 1. Deploy ollama (provides OLLAMA_HOST)
charly config ollama
charly start ollama

# 2. Deploy jupyter (provides jupyter MCP server)
charly config jupyter --update-all
charly start jupyter

# 3. Deploy openwebui (consumes both)
charly config openwebui --env-file .secrets --update-all
charly start openwebui

Open WebUI receives:

OLLAMA_BASE_URL=http://charly-ollama:11434 — local LLM inference
TOOL_SERVER_CONNECTIONS=[...] — MCP servers (jupyter + chrome-devtools)
CODE_EXECUTION_ENGINE=jupyter — code execution via Jupyter

Key Candies

/charly-openwebui:openwebui — Auto-config entrypoint, secrets, env_accept, TOOL_SERVER_CONNECTIONS format
/charly-distros:agent-forwarding — SSH/GPG forwarding

Related Boxes

/charly-jupyter:jupyter — deploy alongside for MCP notebooks and code execution
/charly-ollama:ollama — deploy alongside for local LLM inference
/charly-hermes:hermes — alternative AI frontend (CLI agent vs web UI)
/charly-selkies:selkies-labwc — deploy alongside for shared Chrome browser

Verification

charly status openwebui
charly service status openwebui                    # openwebui: RUNNING
curl -s -o /dev/null -w '%{http_code}' http://localhost:8080   # 200
charly shell openwebui -c "open-webui version"

# Verify secrets
charly status openwebui   # the Secrets: line lists the provisioned charly-openwebui-* engine secrets              # webui-secret-key, admin-password

# Verify MCP (inside container process)
charly cmd openwebui "cat /proc/3/environ" | tr '\0' '\n' | grep TOOL_SERVER_CONNECTIONS

Test Coverage

Latest charly eval live openwebui run: 24 passed, 0 failed, 0 skipped. Covers: openwebui entrypoint script presence, pixi python + charly binary, and deploy-scope: service up, port reachable on 127.0.0.1:${HOST_PORT:8080}, HTTP 200 on / (30-second timeout for first-request startup), admin email env var injected. See /charly-eval:eval for the framework.

Related Skills

/charly-openwebui:openwebui — candy authoring
/charly-eval:eval — declarative testing framework
/charly-build:secrets — WEBUI_ADMIN_PASSWORD + provider API keys
/charly-core:charly-config — -e WEBUI_ADMIN_EMAIL=... deploy-time env setup

When to Use This Skill

MUST be invoked before building, deploying, configuring, or troubleshooting the openwebui box.

/charly-image:image — image family umbrella (box: entries in charly.yml, build/validate/inspect/list)
/charly-build:build — build.yml vocabulary (distros, builders, init-systems)

overthinkos/openwebui

openwebui/skills/openwebui/SKILL.md

Open WebUI box with auto-configured LLM providers, MCP servers, and Jupyter on port 8080. MUST be invoked before building, deploying, configuring, or troubleshooting the openwebui box.

tools

Updated Jun 12, 2026

$ install --global

skillsauth

npx skillsauth add overthinkos/overthink-plugins openwebui

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: Jun 12, 2026, 6:50 AM141.4s1 file scanned

SKILL.md

name:: openwebui
description:: |

Box: openwebui

Open WebUI with auto-configured LLM providers (Ollama, OpenRouter), MCP server discovery, and Jupyter code execution. No manual setup needed — secrets auto-managed via charly secrets.

Definition

openwebui:
  base: fedora
  candy:
    - agent-forwarding
    - openwebui
    - dbus
    - charly
  ports:
    - "8080:8080"

Candy Stack

Quick Start

charly box build openwebui
charly config openwebui -e OPENROUTER_API_KEY=sk-or-xxx
charly start openwebui
# Open http://localhost:8080

Deployment Patterns

Standalone with GPG secrets (recommended)

charly secrets gpg setup
charly secrets gpg set OPENROUTER_API_KEY sk-or-xxx
charly box build openwebui
charly config openwebui --env-file .secrets
charly start openwebui

With local Ollama

charly config ollama
charly config openwebui --env-file .secrets --update-all
charly start ollama openwebui

Full workstation (Ollama + Jupyter + Browser)

charly config ollama
charly config jupyter --update-all
charly config selkies-desktop --update-all
charly config openwebui --env-file .secrets --update-all
charly start ollama jupyter selkies-desktop openwebui

Secrets Management

# Tier 1: Auto-generated infrastructure secrets
charly secrets list charly/openwebui
charly secrets get charly/openwebui webui-secret-key
charly secrets set charly/openwebui admin-password --generate

# Tier 2: User API keys (GPG-encrypted)
charly secrets gpg set OPENROUTER_API_KEY sk-or-new-key
charly secrets gpg show
charly config openwebui --env-file .secrets --update-all

Cross-Container Service Discovery

Deploy alongside provider containers for full functionality:

# 1. Deploy ollama (provides OLLAMA_HOST)
charly config ollama
charly start ollama

# 2. Deploy jupyter (provides jupyter MCP server)
charly config jupyter --update-all
charly start jupyter

# 3. Deploy openwebui (consumes both)
charly config openwebui --env-file .secrets --update-all
charly start openwebui

Open WebUI receives:

OLLAMA_BASE_URL=http://charly-ollama:11434 — local LLM inference
TOOL_SERVER_CONNECTIONS=[...] — MCP servers (jupyter + chrome-devtools)
CODE_EXECUTION_ENGINE=jupyter — code execution via Jupyter

Key Candies

/charly-openwebui:openwebui — Auto-config entrypoint, secrets, env_accept, TOOL_SERVER_CONNECTIONS format
/charly-distros:agent-forwarding — SSH/GPG forwarding

Related Boxes

/charly-jupyter:jupyter — deploy alongside for MCP notebooks and code execution
/charly-ollama:ollama — deploy alongside for local LLM inference
/charly-hermes:hermes — alternative AI frontend (CLI agent vs web UI)
/charly-selkies:selkies-labwc — deploy alongside for shared Chrome browser

Verification

charly status openwebui
charly service status openwebui                    # openwebui: RUNNING
curl -s -o /dev/null -w '%{http_code}' http://localhost:8080   # 200
charly shell openwebui -c "open-webui version"

# Verify secrets
charly status openwebui   # the Secrets: line lists the provisioned charly-openwebui-* engine secrets              # webui-secret-key, admin-password

# Verify MCP (inside container process)
charly cmd openwebui "cat /proc/3/environ" | tr '\0' '\n' | grep TOOL_SERVER_CONNECTIONS

Test Coverage

Related Skills

/charly-openwebui:openwebui — candy authoring
/charly-eval:eval — declarative testing framework
/charly-build:secrets — WEBUI_ADMIN_PASSWORD + provider API keys
/charly-core:charly-config — -e WEBUI_ADMIN_EMAIL=... deploy-time env setup

When to Use This Skill

MUST be invoked before building, deploying, configuring, or troubleshooting the openwebui box.

/charly-image:image — image family umbrella (box: entries in charly.yml, build/validate/inspect/list)
/charly-build:build — build.yml vocabulary (distros, builders, init-systems)

Related Skills

overthinkos/charly

tools

VerifiedTrustedCommunity

OpenCharly CLI (charly) binary installed into container/VM images for in-container use. Use when working with charly binary deployment inside containers, native D-Bus support, or the full charly toolchain (charly binary + virtualization + gocryptfs + socat).

SKILL.mdUpdated Jun 10, 2026

overthinkos/charly-cachyos

development

VerifiedTrustedCommunity

Operator CachyOS workstation profile — a kind:local template + target:local deploy that installs the full dev stack (30 candies) onto a CachyOS host via ShellExecutor. Lives in the overthinkos/cachyos submodule. MUST be invoked before editing or applying the charly-cachyos workstation profile.

SKILL.mdUpdated Jun 10, 2026

overthinkos/charly-cachyos

overthinkos/charly-fedora

tools

VerifiedTrustedCommunity

Fedora box with the full charly toolchain using shared candies. Rootless-first — runs as uid=1000 with passwordless sudo (no root, no cap_add: ALL). Same candy list as charly-arch. Includes NVIDIA GPU runtime. MUST be invoked before building, deploying, configuring, or troubleshooting the charly-fedora box.

SKILL.mdUpdated Jun 10, 2026

overthinkos/charly-fedora

overthinkos/charly-arch

tools

VerifiedTrustedCommunity

Arch Linux box with the full charly toolchain. Rootless-first — runs as uid=1000 with passwordless sudo (no root, no cap_add: ALL). Composes /charly-coder:charly-mcp so the box is reachable as an MCP gateway on port 18765. NVIDIA GPU runtime composed in. MUST be invoked before building, deploying, configuring, or troubleshooting the charly-arch box.

SKILL.mdUpdated Jun 10, 2026

overthinkos/charly-arch

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/overthinkos/overthink-plugins.git

# Copy into Claude Code skills folder (global)
cp -r overthink-plugins/openwebui/skills/openwebui ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

overthinkos/overthink-plugins

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT