You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This repository is a textbook example of an AI-generated "intelligence dashboard" that has been deployed to production without any security review, data integrity standards, or engineering discipline. It presents itself as a real-time global intelligence platform but is largely a fabrication engine wrapped in a military-aesthetic UI. It contains live credentials, unauthenticated endpoints that abuse real Telegram users, committed PII, open SSRF vectors, public nuclear facility targeting data, and systematic fabrication of war events attributed to Reuters and Al Jazeera.
This issue is the index for all P0/P1 findings filed as part of the AI Slop Intelligence Dashboard Awareness Programme.
This codebase was almost certainly vibe-coded by an LLM with minimal human review. The evidence:
Every "live" data feed that required real API keys or complex integration was quietly replaced with Math.random() and hardcoded arrays, but kept the source: "NASA FIRMS" / source: "UNHCR" attribution.
TypeScript build errors were suppressed with ignoreBuildErrors: true rather than fixed.
FALLBACK_SIGNALS contains fully fabricated military escalation events ("Israel launches airstrikes on Iranian nuclear facilities") attributed to Reuters, timestamped new Date(Date.now() - 5 * 60 * 1000) so they always read as "5 minutes ago."
A real Telegram bot token was committed to .env.local AND a second live token was committed to .env.example (the template file that's supposed to have placeholders).
Four private individuals' full names and Telegram IDs were committed to source code as inline comments.
Authentication was "implemented" on zero of the notification/alert/webhook endpoints.
The DEFCON level is permanently hardcoded to 3 with lastUpdated: new Date().toISOString() to fake liveness.
This master issue was filed as part of the AI Slop Intelligence Dashboard Awareness Program — a public interest effort to identify and document AI-generated "intelligence dashboards" that present fabricated data as real-time intelligence, expose user PII, and ship with critical security vulnerabilities.
Summary
This repository is a textbook example of an AI-generated "intelligence dashboard" that has been deployed to production without any security review, data integrity standards, or engineering discipline. It presents itself as a real-time global intelligence platform but is largely a fabrication engine wrapped in a military-aesthetic UI. It contains live credentials, unauthenticated endpoints that abuse real Telegram users, committed PII, open SSRF vectors, public nuclear facility targeting data, and systematic fabrication of war events attributed to Reuters and Al Jazeera.
This issue is the index for all P0/P1 findings filed as part of the AI Slop Intelligence Dashboard Awareness Programme.
Programme: https://labs.jamessawyer.co.uk/ai-slop-intelligence-dashboards/
The Core Problem
This codebase was almost certainly vibe-coded by an LLM with minimal human review. The evidence:
Math.random()and hardcoded arrays, but kept thesource: "NASA FIRMS"/source: "UNHCR"attribution.ignoreBuildErrors: truerather than fixed.FALLBACK_SIGNALScontains fully fabricated military escalation events ("Israel launches airstrikes on Iranian nuclear facilities") attributed to Reuters, timestampednew Date(Date.now() - 5 * 60 * 1000)so they always read as "5 minutes ago.".env.localAND a second live token was committed to.env.example(the template file that's supposed to have placeholders).lastUpdated: new Date().toISOString()to fake liveness.Filed Issues Index
Previously filed by other auditors (not duplicated):
What Needs to Happen
Before this application should be considered safe to operate:
/api/notify,/api/alerts,/api/telegram,/api/infrastructure(see Unauthenticated POST /api/notify allows anyone to broadcast arbitrary Telegram messages to all subscribers #57, Telegram webhook /api/telegram has no signature verification — forged payloads cause bot to message arbitrary users #59, Unauthenticated /api/alerts is a public Telegram spammer and SSRF relay — action:test sends to any user, action:create webhook hits any URL #60, Unauthenticated /api/infrastructure serves nuclear weapons facility coordinates, ICBM sites, undersea cable routes and an IRAN_TARGETS layer to anyone #61).IRAN_TARGETSlayer and nuclear weapons coordinate data (see Unauthenticated /api/infrastructure serves nuclear weapons facility coordinates, ICBM sites, undersea cable routes and an IRAN_TARGETS layer to anyone #61).