JS Labs / Evidence-led analysis
The AI slop intelligence dashboard problem
Every day now, fresh batches of "AI intelligence" dashboards are posted across personal blogs, Hacker News, and Reddit, often in waves of thirty, forty, or fifty at a time. This page reviews a slice from just the last few days and finds the same pattern repeated: authority-forward interfaces, evidence-light internals, and avoidable safety failures. The audit trail now stands at 181 filed issues across 14 active public trackers, with one additional cloned repo blocked from public filing because GitHub issues are disabled. The exhausting part is not that one repo is bad. It is that the same bad ideas keep being cloned, rebranded, and relaunched as if a different coat of paint could turn fabricated output into evidence.
Key allegation summary
The evidence supports a narrow but serious claim: a significant share of these rapidly cloned dashboards present themselves as intelligence infrastructure while relying on fabricated outputs, unsafe operational surfaces, and weak provider boundaries. It is a category-level trust failure with wider downstream risk, including needless compute burn for synthetic outputs that should never have been generated. Read on, and if you are using tools like these for decisions, stop and verify everything.
How to read this page
For non-technical readers: use one test throughout: does the product separate verified evidence from simulation, and does it disclose uncertainty when evidence is weak?
For technical readers: each section maps presentation claims to implementation behavior: route contracts, auth boundaries, provider integration patterns, runtime assumptions, and failure handling.
What this investigation found
We reviewed only a recent slice, not every repo in the category, and still found the same recurring pattern: authority-signaling interfaces paired with implementation choices that would not pass a serious trust, safety, or reliability review.
- Fabricated or synthetic outputs are sometimes delivered in a format that implies operational truth.
- Unsafe control surfaces are exposed in ways that create avoidable abuse and availability risk.
- Provider integrations are weakly governed, with brittle throttling and proxy-like patterns that are hard to defend.
- The claims are evidence-backed, mapped to public issue trails across 14 active trackers and one blocked clone.
- One repo committed a deliberate prompt injection in its
AGENTS.md— a file designed to misdirect AI coding agents performing code review. It is the only finding in this series that goes beyond bad engineering into adversarial design. - Intent is not the threshold here; repeated boundary failure at this layer is itself a material risk signal.
- The pattern widened as the sample widened: outbreak trackers, OSINT dashboards, recon tools, “AI analyst” panels, and intelligence maps all repeated the same underlying defects with minimal adaptation.
Claim 1: some of these projects appear willing to fabricate intelligence-like output
This is the most consequential failure in the set: synthetic output presented in the rhetorical frame of verified intelligence. When that boundary collapses, the product actively distorts judgment.
Claim
Observed output paths blur the line between real evidence and synthetic filler
Based on the issue set already filed, several routes appear to emit plausible-looking intelligence output that is not clearly grounded in upstream truth. The observed pattern includes random commodity values labeled as live, deterministic fake vessel paths, synthetic news and sentiment fallback, and fabricated recon device results.
In practical terms, this is the software equivalent of correlating BGP instability with airport traffic, giving the output a stern label, and hoping the user mistakes narrative structure for intelligence. The interface gives the reader a story shape. The code does not necessarily give the reader evidence.
Evidence 01 / Public repo issue
Market route labeled live while generating commodity prices from randomness
- Observed
- 14 May 2026
- Source
- GeoSentinel issue #19
- Finding
- The issue documents a route returning
status: LIVEwhile commodity prices are generated withrandom.uniform(...). - Confidence
- High
Evidence 02 / Public repo issue
Vessel history path appears to be generated from pseudorandom data
- Observed
- 14 May 2026
- Source
- GeoSentinel issue #17
- Finding
- The issue documents a route seeded by MMSI that emits a repeatable “realistic” path rather than observed tracking history.
- Confidence
- High
Evidence 03 / Public repo issue
Geo-political news fallback appears to mix synthetic sentiment and synthetic summaries
- Observed
- 14 May 2026
- Source
- GeoSentinel issue #18
- Finding
- The issue documents random sentiment and simulated narrative generation entering the normal route path.
- Confidence
- High
Evidence 04 / Public repo issue
Recon route appears to fabricate devices when provider data is absent
- Observed
- 14 May 2026
- Source
- WireTapper issue #11
- Finding
- The issue documents random and hardcoded fallback devices returned through the same production response contract.
- Confidence
- High
Evidence 05 / Public repo issue
News API emits randomized escalation probabilities as if they were assessments
- Observed
- 14 May 2026
- Source
- osiris issue #23
- Finding
- The issue documents a news route that appends a random escalation probability to every article, presented without disclosure in the same field as evidence-backed intelligence.
- Confidence
- High
Evidence 06 / Public repo issue
Fire layer fabricates telemetry by mixing volcano events and inventing fire data
- Observed
- 14 May 2026
- Source
- osiris issue #30
- Finding
- The issue documents a fire intelligence layer that silently mixes volcano records into wildfire results and uses generated intensity values as if they were telemetry.
- Confidence
- High
Claim 2: some of these projects expose operationally unsafe control surfaces
The second pattern is operational, not theoretical: administrative and provider-backed capability exposed through weak boundary design. These are foundational engineering controls, not optional hardening tasks.
Claim
Unsafe control surfaces are visible from the public code and issue trail
The observed findings include public provider credential exposure, unauthenticated Docker control, SVG upload paths served from the application origin, and process-local runtime designs that appear likely to split state under normal multi-worker deployment.
There is no flattering way to describe a backend that talks about operations and then exposes stop and restart routes to unauthenticated callers. There is no serious way to describe client-visible credential material as “just a helper.” These are boundary failures.
Evidence 05 / Public repo issue
Provider credential material exposed through a public token route
- Observed
- 14 May 2026
- Source
- GeoSentinel issue #16
- Finding
- The issue documents a route returning encoded WiGLE credential material to callers.
- Confidence
- High
Evidence 06 / Public repo issue
Unauthenticated Docker control endpoints present in a public backend
- Observed
- 14 May 2026
- Source
- GHOST-osint-crm issue #13
- Finding
- The issue documents stop, restart, status, and log routes backed by
docker-compose. - Confidence
- High
Evidence 07 / Public repo issue
SVG upload path served from the application origin
- Observed
- 14 May 2026
- Source
- GHOST-osint-crm issue #14
- Finding
- The issue documents SVG uploads accepted and served from the same origin as the application.
- Confidence
- High
Evidence 08 / Public repo issue
Process-local runtime design appears likely to fragment state under scale
- Observed
- 14 May 2026
- Source
- GeoSentinel issue #20
- Finding
- The issue documents lazy background ingestion built around process-global state and likely multi-worker inconsistency.
- Confidence
- High
Claim 3: some provider integrations appear to be structurally weak or non-defensible
Even where direct fabrication is not visible, provider discipline often remains weak: throttling that does not hold, anonymous proxy-style patterns, plaintext or undocumented endpoints, and client-side bypasses that erode control intent.
Claim
Observed integrations suggest a preference for convenience over provider-safe design
The issue trail already documents anonymous recon routing into third-party sources, broken Nominatim throttling and bypass paths, and tower lookups that rely on plaintext or AJAX-style endpoints rather than a defensible machine contract.
This is how the genre keeps reproducing itself: a thin interface gets wrapped around someone else’s infrastructure, then marketed as a novel platform. The branding says strategic analysis; the implementation often says weekend prototype with production access.
Evidence 09 / Public repo issue
Public recon proxy into WiGLE, Shodan, and cell-data providers
- Observed
- 14 May 2026
- Source
- WireTapper issue #10
- Finding
- The issue documents anonymous callers driving server-side provider-backed recon operations.
- Confidence
- High
Evidence 10 / Public repo issue
Broken Nominatim throttling and direct frontend bypass
- Observed
- 14 May 2026
- Source
- GHOST-osint-crm issue #15
- Finding
- The issue documents rate-limit logic that appears not to delay successful uncached requests, while browser components call Nominatim directly.
- Confidence
- High
Evidence 11 / Public repo issue
Plaintext and AJAX-style tower lookup paths
- Observed
- 14 May 2026
- Source
- WireTapper issue #12
- Finding
- The issue documents tower lookups using plaintext HTTP and public AJAX-like endpoints as if they were stable APIs.
- Confidence
- High
Timeline
This is not a long historical investigation yet. It is a tightly scoped sequence showing how quickly severe findings surfaced once the cloned repos were reviewed.
Target repositories were cloned locally for issue-backed triage.
Source: local audit workspace and public repositories.
Seven issues were documented, including fake market data, fake vessel history, a repository-known session key, and scraping routes masquerading as stable data sources.
Source: GeoSentinel issue tracker.
Seven issues were documented, including unauthenticated Docker control, a repository-known session secret, and plaintext wireless-password retention.
Source: GHOST-osint-crm issue tracker.
Seven issues were documented, including anonymous provider-backed recon proxying, fabricated fallback recon data, direct DOM XSS sinks, and a committed debug server entrypoint.
Source: WireTapper issue tracker.
Four issues were documented, including a public image proxy, unauthenticated chat spend exposure, public RSS fan-out, and unbounded process-local cache growth.
Source: pharos-ai issue tracker.
The article and linked issue index were assembled into a static page for external hosting and continued expansion.
Impact: claims, evidence, caveats, and update path are now visible in one place.
A second deep pass identified new findings not covered in the first pass: unauthenticated AI memory poisoning in GeoSentinel (#25), missing CSRF protection in GHOST-osint-crm (#21), silent network fingerprint exfiltration in WireTapper (#19), and a Tailscale-range SSRF bypass in the pharos-ai image proxy (#84).
osiris also received a dedicated second-pass audit that uncovered broken live features, hardcoded credentials, and data fabrication across additional routes.
osiris's AGENTS.md was found to contain a deliberate prompt injection claiming false Next.js breaking changes and redirecting AI agents to a non-existent path in node_modules/. Filed as osiris issue #46.
It is the only finding in the series that goes beyond bad engineering into apparent adversarial design: someone tried to prevent AI tools from reviewing the code accurately.
The issue trail widened materially on 15 May 2026. The original cluster did not stabilize under deeper review; it spread. osiris now stands at 48 filed issues, GeoSentinel 20, GHOST-osint-crm 17, WireTapper 16, pharos-ai 14, and hantavirus-tracker 15.
Additional repos were then pulled into scope and produced the same pattern almost immediately: worldmonitor 6 issues, HantaTracker26 7, OSINT-Master-Tool 6, OSINT-War-Room 9, OSINTel-Dashboard 7, hantatracker 8, qgis-osint 6. delta-intelligence-dashboard added with 2 issues. VaradScript/GeoSentinel remains blocked by disabled issues.
Total filed issues: 181 across 14 active public trackers, with one additional clone blocked from the standard public filing path.
Technical findings
The blocks below are for readers who want implementation-level detail. They show enough to substantiate the claim without turning the page into a misuse guide. Sensitive or abuse-enabling detail should remain in the linked issue process where necessary.
Code evidence: random commodity values labeled live
Context: documented in GeoSentinel issue #19. The route appears to build commodity values with random offsets while returning a live-status response.
commodities = {
"OIL": {"price": 74.23 + random.uniform(-0.5, 0.5), ...},
"BRENT": {"price": 79.12 + random.uniform(-0.5, 0.5), ...}
}
return jsonify({
"status": "LIVE",
"commodities": commodities
})Why it matters: the response preserves the presentation shape of a legitimate market feed while undermining the truth value of the returned numbers.
Code evidence: vessel history derived from pseudorandom generation
Context: documented in GeoSentinel issue #17. The route appears to seed a generator with MMSI and then emit a repeatable synthetic path.
random.seed(mmsi)
lat = random.uniform(-60, 70)
lon = random.uniform(-180, 180)
for _ in range(25):
lat += random.uniform(-1.0, 1.0)
lon += random.uniform(-1.0, 1.0)
res.append([lat, lon])Why it matters: a deterministic fiction can feel more trustworthy than an obvious error because it repeats cleanly.
Code evidence: unauthenticated Docker control surface
Context: documented in GHOST-osint-crm issue #13. The observed routes appear to call container-management commands without the sort of auth barrier implied elsewhere in the project.
app.post('/api/docker/restart', async (req, res) => {
await execPromise('docker-compose restart')
})
app.post('/api/docker/stop', async (req, res) => {
await execPromise('docker-compose stop')
})Why it matters: dangerous host-control paths embedded directly in the application surface create denial-of-service and information-disclosure risk.
Code evidence: deliberate prompt injection in AGENTS.md targeting AI code reviewers
Context: documented in osiris issue #46. The repository's AGENTS.md — a file specifically read by AI coding agents such as Claude Code, Copilot Workspace, and similar tools — contains a false claim designed to redirect agents away from accurate code review.
<!-- BEGIN:nextjs-agent-rules -->
# This is NOT the Next.js you know
This version has breaking changes — APIs, conventions, and file
structure may all differ from your training data. Read the relevant
guide in `node_modules/next/dist/docs/` before writing any code.
Heed deprecation notices.
<!-- END:nextjs-agent-rules -->Why it matters: node_modules/next/dist/docs/ does not exist in any standard Next.js distribution. The claim of "breaking changes" is fabricated. The structured HTML comment wrappers show this was intentionally written to target AI agent instruction parsing, not human readers. This is not a documentation error — it is an active attempt to subvert automated code review. In a supply-chain-compromised environment, it could redirect an agent to read attacker-controlled content. In the context of this audit series, it reads as a deliberate attempt to interfere with the security review process rather than accept its findings.
Repo coverage
The issue coverage below is the backbone of the article. The series now spans fifteen repos in scope: fourteen with active public issue trackers and one blocked clone where GitHub issues are disabled. The core pattern did not improve as the sample widened. It got worse: more fabricated output, more false “live” states, more open control surfaces, more borrowed authority, and more code that would rather simulate confidence than admit uncertainty.
Audit matrix
| Repository | Status | Filed issues | Observed pattern |
|---|---|---|---|
| simplifaisoul/osiris | audited | 48 | fabricated intelligence, exposed scanners, hardcoded secrets, adversarial prompt-injection against AI review |
| h9zdev/GeoSentinel | audited | 20 | randomized “live” outputs, false provider state, unauthenticated AI memory writes, debug exposure |
| elm1nst3r/GHOST-osint-crm | audited | 17 | admin exposure, plaintext credentials, public investigative data leakage, anonymous mutation |
| h9zdev/WireTapper | audited | 16 | anonymous recon proxying, fabricated recon results, XSS sinks, fake feature contracts |
| Juliusolsson05/pharos-ai | audited | 14 | public fan-out, SSRF/open-proxy risks, exposed operator tooling, wrong canonical reference data |
| EliseyRotar/hantavirus-tracker | audited | 15 | public-health source laundering, fabricated freshness, duplicate inflation, unsafe CI publishing |
| koala73/worldmonitor | audited | 6 | browser-held secrets, fail-open CORS, stale live-data fallback, synthetic “normal operations” state |
| schiffmannlevi-rgb/HantaTracker26 | audited | 7 | hand-authored outbreak records, hardcoded confidence, inflated totals, misleading freshness |
| aingram702/OSINT-Master-Tool | audited | 6 | public execution metadata, plaintext lookups, vendored binaries, weak operational custody |
| Hue-Jhan/OSINT-War-Room | audited | 9 | logged credentials, unauthenticated scraper control, casualty theatre, simulated intercepts, permanently dead Twitter scraper |
| aenoshrajora/OSINTel-Dashboard | audited | 7 | public offensive tooling, mutable command templates, audit-history exposure, false-success streaming |
| aerayalkan/hantatracker | audited | 8 | hardcoded outbreak corpus, fake freshness, non-merged claimed sources, heuristic row invention |
| Xpirix/qgis-osint | audited | 6 | embedded tokens, wildcard CORS, trust-auth defaults, unsafe remote URL trust |
| delta-intel/delta-intelligence-dashboard | audited | 2 | undocumented internal API abuse across five market signals, time-of-day fallback misrepresented as surveillance data |
| VaradScript/GeoSentinel | blocked | 0 public issues | in scope, but GitHub issues are disabled so the normal evidence-backed filing path is blocked |
simplifaisoul/osiris
48 issues filedObserved pattern: the most thoroughly audited repo in the series, and the most revealing. Fabricated intelligence across multiple layers, hardcoded secrets, unauthenticated high-cost surfaces, broken live features masked as operational, and — uniquely — a deliberate prompt injection in AGENTS.md designed to subvert AI-assisted code review.
Why it leads the series
osiris presents itself as a comprehensive geopolitical intelligence platform with live feeds, threat metrics, satellite tracking, wildfire telemetry, and OSINT tooling. The issue trail shows most of these features are either broken, fabricated, or exploitable. The AGENTS.md prompt injection finding goes further: whoever pushed that file understood how AI code reviewers work and tried to deceive them rather than fix the code they were reviewing.
Issue summary (representative selection)
| Issue | Summary | Class |
|---|---|---|
| #46 | AGENTS.md contains deliberate prompt injection targeting AI coding agents with false Next.js breaking-changes claim | adversarial design |
| #45 | Unauthenticated scanner endpoint accepts arbitrary target with no SSRF protection — internal Tailscale network exposed | SSRF / no auth |
| #29 | Wildfire ingestion route contains hardcoded NASA FIRMS API key committed to source | credential exposure |
| #8 | Scanner proxy leaks secret material via query strings and exposes internal error detail to callers | secret leakage |
| #6 | Hardcoded Basic Authorization credential committed in CCTV integration | credential exposure |
| #30 | Fire layer mixes volcano events into wildfire data and fabricates fire telemetry | fabricated data |
| #41 | Space-weather route converts missing Kp telemetry into a false 'Quiet' condition rather than an absence | fabricated data |
| #38 | Live frontlines route is completely orphaned while the map renders static conflict markers as real-time | broken feature |
| #42 | Live Alerts news stream is dead due to a hard schema mismatch with /api/news | broken feature |
| #43 | Global Threat metric is coupled to layer-loading state and structurally underreports by default | data integrity |
h9zdev/GeoSentinel
20 issues filedObserved pattern: fabricated intelligence-like output, false provider-health claims, privacy-hostile search retention, unsafe runtime design, and unauthenticated write access to the AI memory layer — all presented through a high-authority interface.
Why it stands out
Among the current set, this repo most clearly demonstrates the danger of preserving a convincing interface shape while swapping out the evidentiary substance underneath.
Issue summary
| Issue | Summary | Class |
|---|---|---|
| #16 | Public WiGLE token endpoint exfiltrates third-party API credentials | credential exposure |
| #17 | Vessel history endpoint fabricates AIS tracks from pseudorandom data | fabricated data |
| #18 | Geopolitical news route fabricates and caches synthetic intelligence as live output | fabricated data |
| #19 | Market data API reports LIVE status while emitting fabricated commodity prices | fabricated data |
| #20 | AIS ingestion uses process-global background state and breaks under multi-worker deployment | runtime design |
| #21 | Search stack scrapes public search engines and onion indexes as if they were stable APIs | provider abuse |
| #22 | Flask session signing falls back to a repository-known SECRET_KEY | session security |
| #23 | Identity search routes fabricate contact records and assign random similarity scores | fabricated data |
| #24 | Flask debug server bound to 0.0.0.0 enables unauthenticated Werkzeug RCE on any reachable host | debug exposure / RCE |
| #25 | Unauthenticated /api/search/inject route allows arbitrary AI memory poisoning via ChromaDB write | AI memory poisoning |
| #26 | Unauthenticated full CRUD on AI memory layer — single DELETE request wipes entire ChromaDB knowledge base | AI memory destruction |
| #27 | Unauthenticated /api/geosentialai/chat burns OpenRouter/HuggingFace API keys and proxies anonymous DuckDuckGo queries | API key abuse |
| #28 | /nearby route silently replaces empty WiGLE/Shodan scan results with hardcoded dummy surveillance devices | fabricated data |
| #30 | Status endpoints hardcode healthy subsystem state instead of checking dependencies | false health state |
| #31 | Placeholder HighSight route falsely reports provider online and key active | false provider status |
| #32 | Reverse-image search uploads user photos to third parties and fabricates similarity scores | privacy and fabricated scoring |
| #33 | Crime search silently stores guest investigative queries and results in SQLite | sensitive data retention |
elm1nst3r/GHOST-osint-crm
17 issues filedObserved pattern: security and operations language in public docs, but issue-backed evidence of weak authorization, unsafe operational exposure, public investigative geodata, and anonymous mutation paths in code.
Why it stands out
The gap between documented posture and observed implementation is unusually visible here, especially around container control and public search exposure.
Issue summary
| Issue | Summary | Class |
|---|---|---|
| #12 | Advanced search is unauthenticated and interpolates sortBy directly into SQL | auth and injection |
| #13 | Unauthenticated Docker control endpoints allow remote stop/restart and log access | admin exposure |
| #14 | Logo upload accepts SVG and serves active content from the application origin | stored XSS |
| #15 | Nominatim throttling is broken and frontend geocoding bypasses the compliance boundary | provider misuse |
| #16 | Default Docker deployment exposes PostgreSQL with the repository-known password 'changeme' | secret hygiene |
| #17 | Backend session middleware falls back to a repository-known signing secret | session security |
| #18 | Wireless network passwords are stored and rendered in plaintext | credential handling |
| #19 | Bootstrap docs and scripts normalise repository-known admin credentials as the expected setup path | credential hygiene |
| #20 | Unauthenticated /api/system/health exposes memory, CPU, DB pool state, and database record counts | info disclosure |
| #21 | Session cookie missing SameSite attribute and no CSRF middleware — all authenticated mutation routes vulnerable | CSRF |
| #22 | GET /api/audit-logs is unauthenticated — exposes all investigation activity and target identities to anonymous callers | info disclosure |
| #23 | docker-compose.yml hardcodes NODE_ENV=development, permanently bypassing the production security validation block | deployment misconfiguration |
| #24 | Unauthenticated /api/locations exposes named investigative geodata and relationship metadata | privacy exposure |
| #25 | Public /api/geocode/batch rewrites all stored locations through anonymous batch geocoding | unauthenticated mutation |
| #26 | Public batch-enhanced geocoder allows anonymous Nominatim fan-out and shared-cache mutation | public fan-out / cache mutation |
h9zdev/WireTapper
16 issues filedObserved pattern: anonymous provider-backed reconnaissance, fabricated fallback output, browser-side XSS sinks, and a frontend that advertises telemetry, identity, and AI flows the backend does not even implement.
Why it stands out
The observed behavior suggests a system that would rather look useful than visibly admit failure, which is precisely the wrong instinct for a tool making evidence-like claims.
Issue summary
| Issue | Summary | Class |
|---|---|---|
| #10 | Public recon endpoints proxy anonymous searches into WiGLE, Shodan, and cell-data providers | public recon abuse |
| #11 | Recon APIs fabricate device intelligence when providers return no data | fabricated data |
| #12 | Cell tower lookups use plaintext HTTP and scrape public AJAX endpoints as APIs | provider misuse |
| #13 | Untrusted provider fields are injected into popup and sidebar HTML, creating XSS sinks | XSS sink |
| #14 | Recon routes make outbound provider calls with no timeouts, allowing worker starvation | resource exhaustion |
| #15 | Committed entrypoints run the Flask debug server on 0.0.0.0 | debug exposure |
| #16 | Chat/message renderer writes arbitrary HTML into innerHTML | XSS sink |
| #17 | Tracked entrypoint encourages provider secrets to be stored directly in source | secret hygiene |
| #18 | Search results renderer injects unsanitised provider SSID and vendor fields into DOM via innerHTML | XSS sink |
| #19 | wpasec_kquery silently exfiltrates BSSID/SSID fingerprints to wpa-sec.stanev.org on every scan without disclosure | data exfiltration |
| #20 | Duplicate runnable entrypoints create split-brain runtime behavior | runtime divergence |
| #21 | Frontend ships fake identity and logout flows backed by nonexistent routes | false auth surface |
| #22 | Frontend emits telemetry to a nonexistent /log-activity endpoint on every session | dead telemetry |
| #23 | Built-in AI assistant calls a nonexistent /chatgpt backend route | fake feature contract |
EliseyRotar/hantavirus-tracker
15 issues filedObserved pattern: a public health surveillance tracker that markets live, source-attributed outbreak data while almost all of its case records are hardcoded seed constants. The primary ArcGIS data source returns 0 live cases every run, contains a NameError that silently drops all fetched records, and the GeoJSON metadata reports "status": "ok" for every source regardless of whether live data was used or hardcoded fallback was returned.
Why it stands out
The hantavirus-tracker applies the AI slop pattern to a domain where fabrication carries a specific and serious harm: public health decision-making during an active outbreak. The deduplication key inflates case counts by counting the same outbreak event once per data source, and the GitHub Actions workflow auto-pushes to the production Pages branch with no dependency pinning and no branch protection. Compromising a single PyPI package produces a write to the live public website.
Issue summary
| Issue | Summary | Class |
|---|---|---|
| #1 | Scraper injects hardcoded MV Hondius itinerary rows into the published outbreak dataset | fabricated data |
| #2 | Supplementary collectors publish hand-authored seed cases under CDC, ECDC, HealthMap, and GDELT source labels | fabricated data / false provenance |
| #7 | NameError in arcgis.py drops all ArcGIS cases when any feature has an unknown location | silent data loss |
| #8 | GeoJSON metadata reports 'ok' for all sources regardless of live-vs-seed-fallback origin | false health state |
| #9 | Scrape workflow grants contents:write and auto-pushes to main with no dependency pinning or branch protection | supply chain / CI risk |
| #10 | Pages workflow deploys entire repo root, exposing scrape logs, Python source, and dependency manifests | info disclosure |
| #11 | Cross-source deduplication key includes source field, causing the same case to be counted once per data source | inflated case counts |
| #12 | HealthMap collector scrapes an undocumented internal PHP endpoint without authorization | unauthorized API access |
| #13 | Seed case source_verified_at timestamps are set to run time, fabricating data-freshness signals for hardcoded records | fabricated freshness signals |
VaradScript/GeoSentinel
cloned / issue filing blockedObserved state: in scope for the same hostile-quality first pass, but the public issue workflow is blocked because the repository has GitHub issues disabled.
Why it is in scope
The naming overlap and likely fork-or-variant relationship make it a high-yield candidate for duplicated architectural and data-quality failures. It belongs in the series because cloned dashboard families often reproduce the same bugs with minimal adaptation.
Current status
- Repository cloned into the local audit workspace.
- GitHub issues are disabled, so the normal evidence-backed public filing path cannot be used here.
Juliusolsson05/pharos-ai
14 issues filedObserved pattern: expensive public AI surfaces, proxy-style fetch paths, unauthenticated operator tooling, and a reference-data layer willing to ship speculative or incorrect geopolitical facts as if they were settled baseline truth.
Why it is in scope
This repo represents the more polished end of the same genre: cleaner code, better structure — but still a willingness to expose costly or trust-sensitive behavior through thin public boundaries, and still shipping committed credentials and an exploitable proxy.
Issue summary
| Issue | Summary | Class |
|---|---|---|
| #78 | Public image proxy uses incomplete SSRF defenses and follows unvalidated redirects | proxy trust boundary |
| #79 | Public chat endpoint can trigger unbounded OpenAI spend and anonymous data growth | cost exposure |
| #80 | Public RSS fetch endpoint exposes unauthenticated multi-feed fan-out and cache warming | public fan-out |
| #81 | Prediction history endpoint allows unbounded in-memory cache growth | cache growth |
| #82 | OSINT subsystem ships repository-known storage and database credentials in committed config | credential exposure |
| #83 | Markets route scrapes Yahoo Finance internal chart API using a hardcoded browser User-Agent | provider abuse |
| #84 | Unauthenticated image proxy misses Tailscale CGNAT range in SSRF blocklist and proxies arbitrary Content-Type responses | SSRF / open proxy |
| #85 | World Bank military route accepts unbounded country list — triggers N×7 parallel upstream requests per call with no count cap or auth | resource exhaustion |
| #86 | Live-status endpoint caches offline on transient exceptions | false outage state |
| #87 | OSINT service exposes Bull Board queue dashboard without authentication | operator surface exposure |
| #88 | Public predictions-markets route fan-outs 12 Polymarket searches on every request | public fan-out |
| #89 | Reference datasets hardcode incorrect and speculative geopolitical facts as canonical data | canonical data corruption |
delta-intel/delta-intelligence-dashboard
2 issues filedObserved pattern: a market intelligence and geopolitical risk dashboard that presents cleaner architecture than most of the field — but still calls Yahoo Finance's undocumented internal chart API as if it were a stable, authorized integration, and ships a "Pentagon Pizza Index" fallback that returns a time-of-day integer score rather than a null when the live API is unavailable.
Why it is in scope
delta-intelligence-dashboard is notable precisely because it is better-built than most of the cluster: TypeScript, cleaner component structure, less outright fabrication. What remains is a quieter failure: five market-intelligence signals all routed through an undocumented query1.finance.yahoo.com/v8/finance/chart/ endpoint using a hardcoded browser User-Agent, and a fallback that misrepresents a DC office-hours heuristic as a real intelligence signal. Better code does not exempt the design from the same provider-discipline questions as the rest of the series.
Issue summary
| Issue | Summary | Class |
|---|---|---|
| #1 | Five market signals call Yahoo Finance undocumented internal chart API on every polling cycle | provider abuse |
| #2 | Pentagon Pizza Index fallback returns time-of-day score instead of null when live API is unavailable | fabricated fallback |
Why this matters
- User risk: readers may make judgments based on synthetic, simulated, or weakly substantiated output.
- Platform risk: exposed control surfaces and weak provider discipline create avoidable abuse and reliability risk.
- Reputational risk: products that borrow the language of intelligence analysis acquire a higher burden of care, not a lower one.
- Environmental cost: energy-intensive AI and data pipelines are being spent on fabricated or low-integrity outputs, turning planetary cost into confidence theatre.
- Public trust harm: when theatrical interfaces hide evidentiary weakness, the broader category becomes harder to take seriously.
- Market harm: the proliferation of these systems lowers the perceived standard for what “intelligence” software is allowed to get away with.
What this does not prove
- It does not prove the maintainers intended abuse or deception.
- It does not prove malicious use occurred.
- It does not prove every route, every feature, or every repo in this cluster behaves the same way.
- It does not prove any one provider relationship was formally terminated or breached.
- It does not remove the need for further verification and remediation review as the issue set evolves.
Right of reply
At the time of publication, the projects discussed here had been engaged through their public GitHub issue trackers rather than through a separate private correspondence process. That means the current right-of-reply path is public and issue-linked.
- Contact path used: public GitHub issues linked throughout this article.
- Status: no consolidated substantive response incorporated into this page yet.
- Update policy: if maintainers provide clarification, remediation evidence, or factual correction, this page should be updated with a dated note in the log below.
Methodology
- Sources reviewed: public repositories, public issue trackers, README and security docs, visible route and integration code.
- Tests performed: non-invasive code inspection, route inventory, duplicate issue checks, provider usage review, and issue-backed documentation.
- Tests not performed: no destructive testing, no brute force, no third-party scanning, no auth bypass, no exploitation of live external systems.
- Redactions: issue bodies were written to avoid disclosing secrets or misuse-enabling detail unnecessarily.
- Confidence level: high on the documented issue set; lower on any broader industry inference beyond the repos already audited.
Conclusion
The slop-era failure is unearned authority at industrial scale. If outputs are synthetic, controls are weak, and provider boundaries are fragile, the system is not functioning as intelligence infrastructure regardless of interface polish. What makes this pattern so abrasive is how often the same failures are shipped with full confidence and then recopied into the next repo as if nobody will read the code.
Updates and corrections
- 2026-05-14: Initial publication of the static exposé page.
- 2026-05-14: Added linked issue index for the current audited repo set.
- 2026-05-14: Expanded article structure to include claim/evidence blocks, timeline, methodology, caveats, right of reply, and update log.
- 2026-05-14: Expanded the page to reflect the wider six-repo review series and added a public submission block.
- 2026-05-14: Added reader-guide framing and accessibility-focused feedback updates for focus visibility, target size, and progress announcements.
- 2026-05-14: Second-pass audits completed across all five active repos. New findings include: AI memory poisoning (GeoSentinel #25), missing CSRF protection (GHOST #21), silent BSSID/SSID exfiltration (WireTapper #19), SSRF blocklist bypass (pharos-ai #84).
- 2026-05-14: osiris elevated from footnote to lead case study. Full issue table added with 41-issue trail. AGENTS.md prompt injection (osiris #46) documented as the standout finding of the series — a deliberate attempt to subvert AI-assisted security review.
- 2026-05-14: Article statistics updated to reflect complete coverage: 82 findings across 5 audited repos. All issue tables brought current. Two new osiris evidence cards added to Claim 1.
- 2026-05-15 (morning): Third-pass audit complete. New findings widened the pattern beyond obvious auth bugs: GeoSentinel now includes false provider status, random reverse-image similarity scoring, and guest investigative-history retention (#31-33); GHOST-osint-crm now includes public investigative geodata exposure and anonymous full-dataset geocode mutation (#24-26); WireTapper now includes fake identity, dead telemetry, and a nonexistent AI backend contract (#21-23); pharos-ai now includes an exposed queue dashboard, public 12-query prediction fan-out, and incorrect canonical geopolitical reference data (#87-89).
- 2026-05-15 (afternoon): Fourth-pass audit added EliseyRotar/hantavirus-tracker, a public health surveillance tracker for the May 2026 MV Hondius Andes hantavirus outbreak. Fifteen issues are now filed there, covering hardcoded source-branded seed data, false freshness signals, duplicate inflation, an ArcGIS collector failure, and unsafe CI publication paths.
- 2026-05-15 (late): The sample widened again and the pattern held. worldmonitor, HantaTracker26, OSINT-Master-Tool, OSINT-War-Room, OSINTel-Dashboard, hantatracker, and qgis-osint all produced first-pass issue sets quickly. The broader series now stands at 177 filed issues across 13 active public trackers, with VaradScript/GeoSentinel still blocked by disabled issues.
- 2026-05-15 (latest): Added repo-level decommission or archival recommendation issues across every active tracker in scope. The argument is now structural, not cosmetic: repeated fabricated output, exposed control surfaces, and false operational state are enough to question whether these repos should remain publicly positioned as usable systems.
- 2026-05-15 (fifth pass): delta-intelligence-dashboard added to scope. Two issues filed: undocumented Yahoo Finance internal chart API used for all five market signals (VIX, Treasury, WTI Crude, Gold, Dollar Index), and the Pentagon Pizza Index fallback returning a time-of-day integer score instead of null when the live API is unavailable. OSINT-War-Room updated to 9 issues (+2: permanently disabled Twitter scraper still spawned at startup, and decommission recommendation). Series total: 181 filed issues across 14 active public trackers.