| Here's my thorough analysis after reviewing the entire project: --- ## Verdict: Not malicious This is an *OSINT (Open Source Intelligence) dashboard* called "ShadowBroker" that aggregates publicly available real-time data — flights, ships, satellites, CCTV, news, radio, weather, earthquakes, stock markets, and geopolitical events — onto a map. The name references the infamous hacking group but the code itself contains no malware. --- ## What `start.sh` does 1. Checks for Node.js and Python 3
2. Creates a Python venv and installs dependencies from `requirements.txt`
3. Installs npm packages from `frontend/package.json`
4. Runs `npm run dev` which starts both a Next.js frontend and a FastAPI (uvicorn) backend *No obfuscated commands, encoded payloads, curl/wget to suspicious URLs, reverse shells, or hidden steps.* --- ## What the full codebase does It fetches data from these *legitimate public sources*: | Category | Sources |
|---|---|
| Aviation | adsb.lol (open ADS-B), OpenSky Network (OAuth2) |
| Maritime | aisstream.io (AIS vessel tracking) |
| Satellites | CelesTrak (NORAD TLEs), SGP4 propagation |
| CCTV | TfL London, Singapore LTA, Austin TX, NYC DOT, OpenStreetMap |
| News | NPR, BBC, Al Jazeera, NYT, GDACS, NHK RSS feeds |
| Radio | Broadcastify (scraping), OpenMHz API |
| Weather | RainViewer |
| Earthquakes | USGS GeoJSON feed |
| Markets | Yahoo Finance (defense stocks, oil) |
| Geopolitics | GDELT, Liveuamap (Playwright scraping) | --- ## Things that are NOT present (good signs) - No data exfiltration — nothing sends your personal data anywhere
- No reverse shells or backdoors
- No cryptominer code
- No encoded/obfuscated payloads
- No filesystem scanning or credential harvesting
- No network scanning or port scanning
- The `subprocess.run` call in `network_utils.py` uses argument lists (not `shell=True`), preventing command injection --- ## Noteworthy concerns (not malicious, but worth awareness) 1. *`cloudscraper` + Playwright stealth* — Used to bypass Cloudflare/Turnstile protections on Liveuamap and OpenMHz. Legally gray (may violate those sites' ToS). 2. *CORS wide open* (`allow_origins=[""]`) in `main.py` — acceptable for a local-only tool, but means any website you visit could make requests to your local backend on port 8000 while it's running. 3. *API key management* — The `/api/settings/api-keys` PUT endpoint writes to `.env` on disk. It does validate against a whitelist of known keys and rejects newlines, but it's exposed without authentication on localhost. 4. *Resource consumption* — The scheduler makes hundreds of outbound API calls per hour from your IP to public services (ADSB, OpenSky, CelesTrak, USGS, RSS feeds, etc.). 5. *UAV data is fake* — `fetch_uavs()` generates simulated drone positions in conflict zones. It's not real tracking data. 6. *Dependencies are all legitimate* — `fastapi`, `yfinance`, `feedparser`, `playwright`, `beautifulsoup4`, `requests`, `sgp4`, etc. are all well-known Python packages. Frontend deps (Next.js, React, MapLibre, Tailwind) are standard. --- *Bottom line*: Safe to run. It's a hobbyist OSINT dashboard with an edgy name. No malicious behavior detected anywhere in the codebase. |