OpenWebUI MCP Server

# Threat Model: open-webui-mcp ## Threat actors - **Malicious user**: Attempts to inject instructions via chat content to override system prompt behavior or trigger unsafe updates. - **Compromised evaluator**: LLM evaluator (OpenRouter) returns manipulated or unsafe normalized change sets. ## Attack vectors - **Prompt injection**: User messages that try to override evaluator or tool instructions (e.g., “ignore previous instructions”). - **System prompt escape**: Attempts to replace or append system prompt with override directives or disclosure requests. - **Credential exposure**: Chat content or summaries include secrets that could be forwarded to evaluator or logs. ## Mitigations - **Input validation**: Enforce maximum sizes for chat snapshots and system prompts; reject oversized payloads early. - **Forbidden pattern detection**: Block known prompt-escape patterns in system prompt updates. - **Output sanitization**: Validate evaluator output and reject unsafe or malformed change sets prior to apply. - **Secrets redaction**: Redact sensitive values from snapshots and audit logs. - **Allowlist enforcement**: Apply engine only mutates allowed fields; destructive operations are rejected. ## Guardrails implemented - **Size limits** - Chat snapshot total content capped (`MAX_CHAT_SNAPSHOT_CHARS`). - System prompt content capped (`MAX_SYSTEM_PROMPT_CHARS`). - **Forbidden patterns** - Block system prompt escape phrases and system-role delimiters (regex-based). - **Pre-apply validation** - Change sets are validated before apply; system prompt changes are rejected if they violate size or pattern rules. ## Residual risks - Sophisticated prompt injection may bypass regex-based detection; rely on conservative apply allowlists and human review. - Existing system prompts that already contain forbidden patterns may require manual remediation before updates.