SkillTotal

Is ollama/ollama safe?

repo is an AI go_project analyzed by SkillTotal's deterministic static scanner. The scan found no malicious indicators, though 3 risky constructs are reported for review. It can: network egress and shell execution — capabilities are what the code can do, not a verdict on intent. Risk score 20/100 (low).

repo

go_project · https://github.com/ollama/ollama
LOW
20
/ 100 risk score
Snapshot · scanned Jul 3, 2026 · repo@dba1e27 · engine 0.24.0 / ruleset 25
No malicious indicators - review capabilities before installing
Notable — review in context (capabilities are not malware):
  • Node.js shell/command execution
  • Defense-evasion command idiom
  • Node.js network egress

No malicious indicators found by static analysis.

Automated static-analysis result. It can contain false positives and false negatives, and is not a claim about the intent of ollama/ollama's authors. Report a false positive.

Capabilities — what this component can do (not a risk score):
network egressshell execution

Findings (3)

HIGHDefense-evasion command idiomST-SHELL-EVASION

A command uses a known defense-evasion idiom: PowerShell execution-policy bypass / encoded command / hidden window, macOS code-signing bypass, or launching a payload from a world-writable temp directory. These are hallmarks of droppers and rarely appear in legitimate code.

# powershell -ExecutionPolicy Bypass -File .\scripts\build_windows.ps1

Fix: Verify why the component bypasses execution policy / code signing or runs from a temp directory; these patterns are characteristic of malware staging.

HIGHNode.js shell/command executionST-SHELL-NODE

The component can run operating-system commands or spawn processes.

while ((match = urlRegex.exec(text)) !== null) {
while ((match = regex.exec(node.value))) {
while ((match = generic.exec(remaining))) {

Why it matters: Powerful and often legitimate — confirm the commands aren't built from untrusted input.

Fix: Confirm the command and its arguments are fully controlled and not derived from untrusted input; prefer execFile with an argument array.

MEDIUMNode.js network egressST-NET-NODE

The component makes outbound network requests.

const response = await fetch(`${API_BASE}/api/me`, {
const response = await fetch(`${API_BASE}/api/me`, {
const response = await fetch(`${API_BASE}/api/signout`, {
const response = await fetch(`${API_BASE}/api/v1/chats`);
const response = await fetch(`${API_BASE}/api/v1/chat/${chatId}`);
const response = await fetch(`${API_BASE}/api/v1/chat/${chatId}`, {
const response = await fetch(`${API_BASE}/api/v1/settings`);
const response = await fetch(`${API_BASE}/api/v1/settings`, {
const response = await fetch(`${API_BASE}/api/v1/cloud`, {
const response = await fetch(`${API_BASE}/api/v1/chat/${chatId}/rename`, {
const response = await fetch(`${API_BASE}/api/v1/chat/${chatId}`, {
const response = await fetch(`${API_BASE}/api/v1/model/upstream`, {
const response = await fetch(`${API_BASE}/api/v1/models/pull`, {
const response = await fetch(
const response = await fetch(`${API_BASE}/api/v1/inference-compute`);
const response = await fetch(`${API_BASE}/api/version`, {
const response = await fetch(`${API_BASE}/api/v1/cloud`);

Why it matters: Usually legitimate, but confirm the destinations are expected and no sensitive data leaves.

Fix: Confirm the destination hosts are expected and that no sensitive data is sent off-host.

Check your own component

Run the same evidence-backed scan on any MCP server, agent skill, or package.

Scan your own component

Or get notified if this component's risk changes:

How we determine this: deterministic static analysis (regex + AST), evidence-anchored, no code execution. Methodology →