A technical analysis by SentinelOne Labs analysis said a joint investigation with Censys identified 175,000 publicly accessible Ollama hosts across 130 countries, with many configured to expose tool calling interfaces and operating outside platform guardrails.
KEY FACTS
- Scale 175,000 unique Ollama hosts
- Reach Hosts observed in 130 countries
- Tool calling Over 48% advertise tool calling capabilities
- Exposure Default local binding can be changed to expose instances publicly
The exposed systems span both cloud and residential networks worldwide. Just over 30 percent of observed hosts are located in China, with significant footprints in the U.S., Germany, France, South Korea, India, Russia, Singapore, Brazil, and the U.K.
Ollama instances run locally on Windows, macOS, and Linux and bind to 127.0.0.1:11434 by default. A trivial change to bind to 0.0.0.0 or a public interface can make an instance reachable from the internet.
More than 48 percent of observed hosts advertise tool calling via their API endpoints. Tool calling lets language models interact with external systems, call APIs, and execute actions beyond text generation.
There are 201 hosts identified that run uncensored prompt templates that remove safety guardrails. The decentralized mix of cloud and residential deployments creates governance gaps and increases avenues for abuse such as proxying malicious traffic or unauthorized compute use.
WHY IT MATTERS
Edge LLM deployments that expose tool calling and lack proper authentication or network controls can translate instructions into privileged actions. These deployments should be treated with the same authentication, monitoring, and network controls as other externally accessible infrastructure.