[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-10958":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":9,"language":10,"languages":9,"totalLinesOfCode":9,"stars":11,"forks":12,"watchers":13,"openIssues":13,"contributorsCount":14,"subscribersCount":14,"size":14,"stars1d":15,"stars7d":16,"stars30d":17,"stars90d":14,"forks30d":14,"starsTrendScore":18,"compositeScore":19,"rankGlobal":9,"rankLanguage":9,"license":20,"archived":21,"fork":21,"defaultBranch":22,"hasWiki":21,"hasPages":21,"topics":23,"createdAt":9,"pushedAt":9,"updatedAt":24,"readmeContent":25,"aiSummary":26,"trendingCount":14,"starSnapshotCount":14,"syncStatus":15,"lastSyncTime":27,"discoverSource":28},10958,"aimap","BishopFox\u002Faimap","BishopFox","Discover Exposed AI Services",null,"Python",168,33,1,0,2,7,71,6,4.59,"MIT License",false,"main",[],"2026-06-12 02:02:29","# AIMap\n\n**Internet-scale discovery and security testing platform for exposed AI agent infrastructure.**\n\n\u003Cp align=\"center\">\n \u003Cimg src=\"screenshots\u002Faimap-tour.gif\" alt=\"AIMap UI Tour\" width=\"800\" \u002F>\n\u003C\u002Fp>\n\nAIMap finds, fingerprints, and security-tests publicly exposed AI endpoints — MCP servers, Ollama instances, vLLM\u002FLiteLLM proxies, LangServe chains, Gradio apps, ComfyUI nodes, and more. Think Shodan, but purpose-built for the AI agent attack surface.\n\nBuilt by [Bishop Fox](https:\u002F\u002Fbishopfox.com).\n\n> **Warning**\n> This tool is intended for **authorized penetration testing and security research only**. You must only use AIMap against systems you own or have explicit written permission to test. Unauthorized access to computer systems is illegal. Bishop Fox assumes no liability and is not responsible for any misuse or damage caused by this tool. Use responsibly.\n\n---\n\n## What It Does\n\n1. **Discover** — Queries Shodan with 32+ curated search queries to find exposed AI\u002FML endpoints across the internet\n2. **Fingerprint** — Probes each endpoint with Nuclei templates and live HTTP checks to identify the protocol, framework, auth status, tools, models, and system prompts\n3. **Score** — Computes a 0–10 risk score based on authentication, tool exposure, CORS policy, TLS, system prompt leakage, and dangerous capability combinations\n4. **Test** — Launches protocol-specific attack suites (MCP tool abuse, Ollama model extraction, prompt injection) with real-time streaming results\n5. **Visualize** — 3D globe showing every discovered endpoint, searchable with a Shodan-style query language\n\n---\n\n## Architecture\n\n```\n┌─────────────┐ ┌──────────────┐ ┌───────────┐\n│ React SPA │────▶│ FastAPI │────▶│ MongoDB │\n│ (Vite) │ WS │ Backend │ │ │\n└─────────────┘ └──────┬───────┘ └───────────┘\n │\n ┌────────────┼────────────┐\n ▼ ▼ ▼\n ┌──────────┐ ┌──────────┐ ┌──────────┐\n │ Shodan │ │ Nuclei │ │ Redis │\n │ API │ │ Scanner │ │ Streams │\n └──────────┘ └──────────┘ └──────────┘\n```\n\n**Backend** — Python\u002FFastAPI with async MongoDB (Motor), Redis Streams for attack log streaming, and a discovery engine that orchestrates Shodan queries → httpx liveness checks → Nuclei template scans → enrichment pipeline.\n\n**Frontend** — React 18 + TypeScript + Tailwind CSS + shadcn\u002Fui. Features a 3D globe (globe.gl), real-time attack streaming via WebSocket, and a Shodan-style search interface.\n\n**Scanning** — 5 custom Nuclei YAML templates for MCP server detection, MCP tool enumeration, OpenAI-compatible API detection, LangServe detection, and prompt leak testing.\n\n---\n\n## Supported Protocols\n\n| Protocol | Detection Method | Shodan Queries |\n|----------|-----------------|----------------|\n| **MCP** (Model Context Protocol) | SSE transport, JSON-RPC, `\u002Fmcp\u002Fsse` paths | 4 queries |\n| **Ollama** | Default port 11434, product fingerprint | 3 queries |\n| **vLLM \u002F LiteLLM \u002F LocalAI** | `\u002Fv1\u002Fmodels`, `\u002Fv1\u002Fchat\u002Fcompletions` endpoints | 4 queries |\n| **LangServe \u002F LangChain** | Playground endpoints, langserve markers | 2 queries |\n| **OpenClaw \u002F Clawdbot** | Control dashboard, port 18789 | 3 queries |\n| **Open WebUI \u002F LibreChat** | Title-based detection | 2 queries |\n| **Gradio** | Title, footer watermark, favicon hash | 3 queries |\n| **Streamlit** | Title, favicon hash | 2 queries |\n| **ComfyUI \u002F Stable Diffusion** | Title, port-based detection | 4 queries |\n| **HuggingFace TGI** | HTML markers | 1 query |\n| **Generic inference** | `\u002Fapi\u002Fgenerate`, `\u002Fapi\u002Ftags` paths | 2 queries |\n\n---\n\n## Risk Scoring\n\nEach endpoint receives a 0–10 risk score computed from:\n\n| Factor | Score Impact |\n|--------|-------------|\n| No authentication | +4.0 |\n| Unknown auth status | +1.0 |\n| 10+ tools exposed | +2.0 |\n| 5+ tools exposed | +1.0 |\n| Critical-risk tool (e.g., `exec_code`, `run_shell`) | +1.0 each |\n| High-risk tool (e.g., `query_db`, `file_read`) | +0.5 each |\n| Open CORS (`*`) | +1.0 |\n| No TLS | +0.5 |\n| System prompt leaked | +0.5 |\n| Models exposed | +1.0 |\n| Uncensored model detected | +2.0 |\n| Signup enabled (no invite required) | +1.5 |\n| Dangerous combo (e.g., no auth + code exec tool) | +1.0 each |\n\n---\n\n## Setup\n\n### Prerequisites\n\n- Python 3.12+\n- Node.js 18+\n- MongoDB 7+\n- Redis 7+ (optional — falls back to in-memory for local dev)\n- [Nuclei](https:\u002F\u002Fgithub.com\u002Fprojectdiscovery\u002Fnuclei) (optional — needed for active scanning)\n- A [Shodan API key](https:\u002F\u002Faccount.shodan.io\u002F) (required for discovery scans)\n\n### Quick Start (Docker Compose)\n\n```bash\n# Clone\ngit clone git@github.com:BishopFox\u002Faimap.git\ncd aimap\n\n# Configure\ncp .env.example .env\n# Edit .env — at minimum set SHODAN_API_KEY\n\n# Launch\ndocker compose up --build\n```\n\nThis starts 4 services:\n- **MongoDB** on port 27017\n- **Redis** on port 6379\n- **Backend** on port 8000\n- **Frontend** on port 80\n\nOpen `http:\u002F\u002Flocalhost` to access the UI.\n\n### Local Development (without Docker)\n\n```bash\n# Backend\ncd backend\npython -m venv .venv\nsource .venv\u002Fbin\u002Factivate\npip install -r requirements.txt\nuvicorn app.main:app --reload --port 8000\n\n# Frontend (separate terminal)\ncd frontend\nnpm install\nnpm run dev # starts on http:\u002F\u002Flocalhost:5173\n```\n\nMake sure MongoDB is running locally on port 27017. Redis is optional — the backend falls back to in-memory buffers when Redis is unavailable.\n\n### Environment Variables\n\nCreate a `.env` file in the project root:\n\n```bash\n# Required\nSHODAN_API_KEY=your_shodan_api_key\n\n# Optional — Censys as an additional discovery source\nCENSYS_API_ID=\nCENSYS_API_SECRET=\n\n# Optional — enables AI-powered attack analysis\nANTHROPIC_API_KEY=\n\n# MongoDB (defaults work for local dev)\nMONGODB_URI=mongodb:\u002F\u002Flocalhost:27017\nMONGODB_DB=aimap\n\n# Redis (defaults work for local dev; optional)\nREDIS_URL=redis:\u002F\u002Flocalhost:6379\u002F0\n\n# CORS (default allows all origins)\nCORS_ORIGINS=*\n\n# Modal serverless (dispatches scans\u002Fattacks to Modal containers)\nMODAL_ENABLED=false\n\n# Clerk auth — see below\nCLERK_ISSUER=\n```\n\n### Authentication (Clerk)\n\nAIMap uses [Clerk](https:\u002F\u002Fclerk.com) for authentication. To enable:\n\n1. Create a Clerk application at [clerk.com](https:\u002F\u002Fclerk.com)\n2. Set the backend issuer URL:\n ```bash\n # .env (project root)\n CLERK_ISSUER=https:\u002F\u002Fyour-app.clerk.accounts.dev\n ```\n3. Set the frontend publishable key:\n ```bash\n # frontend\u002F.env.local\n VITE_CLERK_PUBLISHABLE_KEY=pk_test_...\n ```\n\n**To disable authentication** (local dev, demos): leave `CLERK_ISSUER` empty or unset. The backend will accept all requests with a synthetic `local` user identity.\n\n---\n\n## Usage\n\n### Running a Discovery Scan\n\n1. Navigate to **Scans** in the sidebar\n2. Click **New Scan**\n3. Select query presets (e.g., `ollama`, `mcp_protocol`, `vllm`) or enter a custom Shodan query\n4. Optionally scope to a CIDR range (the orchestrator prepends `net:\u003Ccidr>` to each query)\n5. Click **Run** — the scan pipeline executes:\n - **Shodan search** — pulls matching hosts\n - **httpx sweep** — verifies hosts are alive\n - **Nuclei scan** — runs custom templates against live hosts\n - **Enrichment** — framework detection, auth probing, risk scoring\n6. Monitor progress via the real-time WebSocket status bar or by polling the scan detail page\n\n### Searching Endpoints\n\nUse the search bar with Shodan-style query syntax:\n\n```\nprotocol:mcp # MCP servers\nauth:none # No authentication\nrisk:critical # Risk score >= 9.0\nrisk:high # Risk score 7.0 – 8.9\nrisk:medium # Risk score 4.0 – 6.9\nrisk:low # Risk score 1.0 – 3.9\ntool:query_db # Endpoints exposing a specific tool\ncountry:US # By country code\nport:11434 # By port number\norg:\"Amazon AWS\" # By hosting organization (quote multi-word values)\nhas:system_prompt # Endpoints with leaked system prompts\n```\n\nCombine filters freely:\n\n```\nprotocol:mcp auth:none country:US # Unauthenticated MCP servers in the US\nrisk:critical tool:exec_code # Critical endpoints with code execution tools\nprotocol:ollama port:11434 # Ollama on default port\n```\n\nAny text that doesn't match a `key:value` pattern is treated as a free-text search across all indexed fields.\n\n### Launching Attack Tests\n\n1. Navigate to an endpoint's detail page\n2. Click **Attack** to open the test panel\n3. Select an attack profile — the system auto-selects the engine based on protocol:\n - **MCP** → Tool enumeration, unauthorized tool invocation, prompt injection via tool descriptions\n - **Ollama** → Model listing, model weight extraction, prompt injection\n - **OpenAI-compatible** → Model enumeration, completion abuse, system prompt extraction\n4. Watch results stream in real-time via WebSocket\n5. Results include severity ratings, raw request\u002Fresponse pairs, and remediation guidance\n\n### Exploring the Globe\n\nThe landing page features an interactive 3D globe showing all discovered endpoints:\n- **Pin color** = protocol type (blue = MCP, green = Ollama, purple = OpenAI-compat, etc.)\n- **Pin height** = risk score\n- **Hover** for endpoint summary (IP, port, protocol, risk, auth, tools, model, location)\n- **Click** to navigate to the endpoint detail page\n- Mouse drag to rotate, scroll to zoom\n\n---\n\n## Nuclei Templates\n\nCustom templates in the `templates\u002F` directory:\n\n| Template | Purpose |\n|----------|---------|\n| `mcp-server-detect.yaml` | Detects MCP servers via SSE transport and JSON-RPC capabilities response |\n| `mcp-tool-enum.yaml` | Enumerates tools exposed by MCP servers (names, descriptions, input schemas) |\n| `openai-compat-detect.yaml` | Detects OpenAI-compatible endpoints via `\u002Fv1\u002Fmodels` |\n| `langserve-detect.yaml` | Detects LangServe deployments with exposed playground |\n| `prompt-leak.yaml` | Attempts system prompt extraction via common injection techniques |\n\n---\n\n## API Reference\n\nAll endpoints are prefixed with `\u002Fapi\u002F`.\n\n| Method | Path | Description |\n|--------|------|-------------|\n| `GET` | `\u002Fhealth` | Health check |\n| `GET` | `\u002Fendpoints` | List endpoints (paginated, filterable) |\n| `POST` | `\u002Fendpoints\u002Fsearch` | Advanced search with query syntax |\n| `GET` | `\u002Fendpoints\u002Fglobe` | Geo data for 3D globe |\n| `GET` | `\u002Fendpoints\u002Fstats` | Aggregate statistics |\n| `GET` | `\u002Fendpoints\u002F{id}` | Endpoint detail |\n| `POST` | `\u002Fendpoints\u002F{id}\u002Fenrich` | Trigger enrichment for one endpoint |\n| `POST` | `\u002Fendpoints\u002Fenrich-all` | Batch enrichment |\n| `GET` | `\u002Fscans` | List scans |\n| `POST` | `\u002Fscans` | Create a scan |\n| `POST` | `\u002Fscans\u002F{id}\u002Frun` | Execute a scan |\n| `GET` | `\u002Fscans\u002Fquery-presets` | Available Shodan query presets |\n| `WS` | `\u002Fscans\u002F{id}\u002Fprogress` | Live scan progress |\n| `POST` | `\u002Fattack` | Launch an attack test |\n| `WS` | `\u002Fattack\u002F{id}\u002Fstream` | Live attack log stream |\n| `GET` | `\u002Fattack\u002F{id}\u002Fstatus` | Attack status |\n\n---\n\n## Project Structure\n\n```\naimap\u002F\n├── backend\u002F\n│ ├── app\u002F\n│ │ ├── main.py # FastAPI app, lifespan, CORS, routers\n│ │ ├── config.py # Pydantic settings from env\n│ │ ├── auth.py # Clerk JWT verification (bypass when CLERK_ISSUER empty)\n│ │ ├── database.py # Async MongoDB (Motor) connection\n│ │ ├── limiter.py # SlowAPI rate limiting\n│ │ ├── routes\u002F\n│ │ │ ├── endpoints.py # CRUD + search + globe + enrichment\n│ │ │ ├── scans.py # Scan lifecycle + execution + WebSocket\n│ │ │ └── attack.py # Attack dispatch + Redis Streams + WebSocket\n│ │ ├── discovery\u002F\n│ │ │ ├── orchestrator.py # Scan pipeline: Shodan → httpx → Nuclei → ingest\n│ │ │ ├── shodan_adapter.py # 32 curated Shodan queries + result normalization\n│ │ │ ├── nuclei_runner.py # Nuclei subprocess runner + finding parser\n│ │ │ └── base.py # SourceAdapter abstract base\n│ │ └── services\u002F\n│ │ ├── attack_mcp.py # MCP protocol attack engine\n│ │ ├── attack_ollama.py # Ollama attack engine\n│ │ ├── attack_openclaw.py # OpenClaw\u002FClawdbot attack engine\n│ │ ├── enrichment.py # Shodan\u002FNuclei enrichment + risk scoring\n│ │ ├── live_probe.py # HTTP probing for model\u002Ftool enumeration\n│ │ ├── search.py # Shodan-style query parser → MongoDB filters\n│ │ ├── redis_client.py # Async Redis singleton with fallback\n│ │ └── concurrency.py # Semaphore + Redis-based slot limiting\n│ ├── Dockerfile\n│ └── requirements.txt\n├── frontend\u002F\n│ ├── src\u002F\n│ │ ├── App.tsx # Routes + Clerk auth wrapper\n│ │ ├── pages\u002F\n│ │ │ ├── Marketing.tsx # Public landing page with 3D globe\n│ │ │ ├── Landing.tsx # Authenticated dashboard with globe\n│ │ │ ├── Search.tsx # Endpoint search with query syntax\n│ │ │ ├── Explore.tsx # Browse\u002Ffilter all endpoints\n│ │ │ ├── AgentDetail.tsx # Single endpoint deep-dive\n│ │ │ ├── TestAgent.tsx # Attack test launcher\n│ │ │ ├── Scans.tsx # Scan management\n│ │ │ └── Ranges.tsx # CIDR range management\n│ │ ├── components\u002F\n│ │ │ ├── GlobeVisualization.tsx # globe.gl 3D globe + legend\n│ │ │ ├── Layout.tsx # App shell (sidebar + navbar)\n│ │ │ └── ui\u002F # shadcn\u002Fui components\n│ │ ├── hooks\u002FuseApi.ts # SWR hooks for all API endpoints\n│ │ └── lib\u002Fapi-client.ts # Fetch wrapper with Clerk token injection\n│ ├── Dockerfile\n│ ├── nginx.conf\n│ └── tailwind.config.js\n├── templates\u002F # Nuclei YAML templates\n├── docs\u002F # GitHub Pages static site\n├── docker-compose.yml\n├── .env.example\n└── README.md\n```\n\n---\n\n## Concurrency Limits\n\nThe platform enforces global concurrency limits to prevent abuse:\n\n- **Max 3 concurrent scans** — additional scans receive HTTP 429\n- **Max 5 concurrent attacks** — additional attacks receive HTTP 429\n- **Rate limiting** — 10 requests\u002Fminute on scan and attack creation endpoints\n\nWhen using Docker Compose, these limits are enforced via Redis counters (cross-container). In local dev mode, they fall back to `asyncio.Semaphore` (single-process).\n\n---\n\n## Optional: Modal Serverless\n\nFor heavy scanning workloads, scans and attacks can be dispatched to [Modal](https:\u002F\u002Fmodal.com) containers:\n\n```bash\nMODAL_ENABLED=true\n```\n\nWhen enabled, `POST \u002Fscans\u002F{id}\u002Frun` and `POST \u002Fattack` will call `modal.Function.from_name(\"aimap\", \"run_scan_task\")` \u002F `run_attack_task` instead of running locally. Falls back to local execution if Modal dispatch fails.\n\n---\n\n## License\n\nMIT License. See [LICENSE](LICENSE) for details.\n\nThis project is maintained by [Bishop Fox](https:\u002F\u002Fbishopfox.com).\n","AIMap 是一个用于发现和安全测试公开暴露的AI服务端点的平台。它通过Shodan查询、Nuclei模板扫描以及实时HTTP检查来识别并评估这些端点的安全状况,支持多种协议如MCP、Ollama等,并能检测到框架、认证状态、使用的工具及模型等信息。基于计算的风险评分机制,AIMap还能够对发现的目标执行特定协议攻击测试,并提供3D可视化界面展示全球范围内的暴露AI服务分布情况。此项目适用于授权下的渗透测试与安全研究场景,帮助研究人员或安全团队了解和加固其AI基础设施的安全性。","2026-06-11 03:31:05","CREATED_QUERY"]