runlocal.devCheck My GPU →
← Back to blog
Issue #1Apr 11, 2026

Your local AI stack is already being scanned

113K requests, a Raspberry Pi honeypot, and the attack surface you didn't know you had

If port 11434 is open, Shodan indexes you inside 3 hours. A 30-day Raspberry Pi honeypot — pretending to be a high-end rig running a "Heretic" uncensored model — logged 113,314 requests. The first probe landed in under an hour.

The attack surface

The volume is loud, but the composition is the actual story:

Vector What's happening
Free-rider compute Majority of interactive sessions. Firmware engineers firing STM32 JSON extraction prompts; security researchers processing CVE write-ups; someone trying to proxy Claude API calls through the endpoint. No shells, no malware — just workloads.
MCP probes 36 hits in the first 18 days → 2,267 in one week. A scanner called Umai-Scanner/1.0 alone hit the honeypot 58,258 times in 4 days, probing /.well-known/mcp.json and /.well-known/agent.json. These standards are barely out of draft and already being inventoried at internet scale.
Config file spraying One IP probed AI-specific config paths every day for 30 days, updating its wordlist in real time: /.cursor/rules, /.claude/settings.json, /.openclaw/agents/main/agent/auth-profiles.json, /.cline/mcp_settings.json. OpenClaw's internal directory structure is now in someone's scanner.

What to close today

  • Don't expose port 11434. Bind Ollama to 127.0.0.1 or put it behind a reverse proxy with auth. The calculator at runlocal.dev/calculator assumes local access — keep it local.
  • If you wrap Ollama in a Next.js layer, the Next layer gets its own attack surface (prototype pollution, .env spraying). Harden before exposing.
  • Your editor config directory is not private. If you use OpenClaw, Cline, or Cursor, assume their config paths are in public wordlists. Don't check auth profiles into repos.

Releases worth the update

  • Ollama v0.20.5 — fixes Flash Attention on pre-Ampere GPUs that was silently corrupting Gemma 4 inference. If you run Gemma 4 on anything older than RTX 3000-series, update.
  • OpenClaw — shipping daily. 2026.4.7 → 2026.4.8 → 2026.4.9 → 2026.4.10 inside one week, at 343K stars. No other project in this ecosystem moves this fast.
  • OpenCode v0.0.55 — roughly one release every 3 days for the last month. The Go + Bubble Tea codebase is worth reading if you care about how an AI coding loop consumes LSP feedback.

On the watch list

Qwen 3.6 community vote just closed with 581 upvotes on r/LocalLLaMA. Release is expected any day — Qwen 3.6 35B-A3B now live with the characteristic MoE efficiency: 3B active parameters, 35B total.

Based on RunLocal Issue #1 · Full newsletter version on Substack →

← All postsRead the full newsletter on Substack →