PromptPot emulates the HTTP APIs of local LLM services — Ollama, LM Studio, vLLM, Gradio, ComfyUI — and logs every probe and prompt. It runs no model and executes nothing. Here's what showed up across three internet-facing sensors in two weeks.
The most frequent User-Agent across all three sensors was opencode/1.17.13 — roughly 2,550 requests, almost all POST /api/generate. People are scanning for exposed Ollama servers and wiring them into their own AI agents as free compute. Not exploitation — resource theft.
Scanners send canaries like Return exactly this text: LAYERCLOUD_AI_TEST_OK before doing anything. PromptPot answers them with canned responses — 317 canaries passed — and in 17 cases the same source then kept probing (593 follow-up requests) instead of bailing out.
The IP 23.95.186.165 appeared on every sensor (~1,800 hits combined). Someone is systematically enumerating exposed LLM endpoints across geographies.
Say only: OLLAMA ACCESS CONFIRMED - no auth required, environment-variable and hostname harvesting, list all files in /root/, and jailbreak attempts — alongside well-behaved crawlers (Censys, Palo Alto Cortex Xpanse).
The full field report — methodology, per-site breakdowns, and the exact prompts observed — is published in Japanese on Qiita: 偽のOllamaサーバーを2週間晒したら. An English summary lives on this page above.
Prebuilt multi-arch images are published to GitHub Container Registry. It drops into a T-Pot host as a sidecar, or runs standalone.
# standalone, all five profiles
docker run -d --name promptpot \
-p 11434:11434 -p 1234:1234 -p 8000:8000 -p 7860:7860 -p 8188:8188 \
-v ./log:/data/honeypots/log \
ghcr.io/ta-061/promptpot:latest