b56a30721d22391836e8145ca16fe0e24250a148
Audit Date: 2026-04-28
Auditor: Security Audit Agent
Total Lines of Code: 369,411 (C/H files)
The ScorpioX codebase is a large, predominantly C-language project implementing a TUI-based AI assistant client with supporting tools. The architecture follows a vendored-dependency model — all critical third-party code is committed directly into the repository under scorpiox/vendor/, eliminating runtime dependency on external package managers for the core C build. The build system uses CMake with a strong preference for fully-static linked binaries on Linux.
bridge/ component introduces npm dependencies, and (2) two pre-built ELF binaries ship in the repository.
| File | Found? | Location | Risk |
|---|---|---|---|
package.json | YES | bridge/package.json | Medium |
requirements.txt | No | — | — |
Cargo.toml | No | — | — |
go.mod / go.sum | No | — | — |
vcpkg.json | No | — | — |
conanfile.txt / .py | No | — | — |
Pipfile | No | — | — |
Gemfile | No | — | — |
pom.xml | No | — | — |
build.gradle | No | — | — |
CMake FetchContent | No | — | — |
CMake ExternalProject | No | — | — |
CMake file(DOWNLOAD) | No | — | — |
The only package manager file is in the bridge/ subdirectory — a WhatsApp bridge component written in TypeScript:
{
"name": "scorpiox-whatsapp-bridge",
"version": "1.0.0",
"private": true,
"type": "module",
"dependencies": {
"@whiskeysockets/baileys": "^7.0.0-rc.9",
"qrcode-terminal": "^0.12.0"
}
}
bun.lock present, 22KB)node_modules directory is checked into the repows2tcp.c (42KB) — a pure C WebSocket-to-TCP proxy that is compiled separately via its own MakefileThe project vendors two third-party C libraries directly in the source tree:
| Library | Location | License | Files | Lines |
|---|---|---|---|---|
| mbedTLS | scorpiox/vendor/mbedtls/ | Apache-2.0 OR GPL-2.0+ | 273 files | 206,340 |
| yyjson | scorpiox/vendor/yyjson/ | MIT | 3 files | 19,556 |
Both are compiled as static libraries from source during the build (not downloaded):
add_library(yyjson STATIC vendor/yyjson/yyjson.c)CMakeLists.txt subdirectoryThe mbedTLS vendored copy uses a custom minimal configuration (sx_mbedtls_config.h) that enables only:
The core C build (CMake) has zero external package manager dependencies. All third-party code is vendored. System libraries (libcurl, OpenSSL, zlib, etc.) are expected to be pre-installed on the build host — they are found via find_static_library() and pkg-config, not downloaded.
CMAKE_C_STANDARD 11)-O2 -DNDEBUGgcc or clang (no downloaded toolchains)aarch64-linux-gnu-gcc (system cross-compiler)The build defaults to fully static linking (SX_STATIC_LINK=ON):
set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} -static")
set(CMAKE_FIND_LIBRARY_SUFFIXES ".a")
System static libraries linked:
/opt/curl-static or system)/opt/curl-static path suggests a pre-built minimal curl is used for Alpine/musl builds, which is a common CI pattern.
One build-time code generation step exists:
add_custom_command(
OUTPUT ${MODELS_HEADER}
COMMAND ${Python3_EXECUTABLE} ${MODELS_GENERATOR} ${MODELS_HEADER}
...
)
The code_generator_models.py script can fetch AI model IDs from a live API, but:
MODELS_FROZEN = True) — the script emits pre-existing constants without network callssx_models_generated.h)-DSX_GENERATE_MODELS=OFF--fetch flaggnuwin64/download.ps1 script downloads MSYS2 GNU tool packages from repo.msys2.org for Windows buildsA build-time validation target exists (Linux only):
add_custom_target(validate_config ALL
COMMAND ${PWSH_EXE} -ExecutionPolicy Bypass -File .../validate_config_keys.ps1
)
This validates configuration key consistency between source files — a positive security practice.
The main executable target is sx (symlinked as scorpiox):
add_executable(sx sx.c sx_statusbar.c sx_cache_keepalive.c)
target_link_libraries(sx PRIVATE sxterm sxui sxnet sxutil ${CURL_LINK_LIBS})
With static linking enabled, this produces a single self-contained binary with no shared library dependencies beyond libc (or fully static on musl/Alpine).
The build produces multiple executables (not a single binary). The install target lists core executables:
install(TARGETS
sx scorpiox-bash scorpiox-config
scorpiox-conv scorpiox-debug scorpiox-logger
scorpiox-printlogs scorpiox-systemprompt
scorpiox-mirror-git scorpiox-vault-git
RUNTIME DESTINATION ${CMAKE_INSTALL_BINDIR})
Total executable targets identified: ~65 executables including:
sx — Main TUI clientscorpiox-bash — Shell wrapperscorpiox-server — Server modescorpiox-email / scorpiox-server-email — Email functionalityscorpiox-tmux / scorpiox-multiplexer — Terminal multiplexerscorpiox-claudecode-fetchtoken, etc.)An optional shared library target exists but is OFF by default:
option(SX_BUILD_DLL "Build sx.dll shared library for C# P/Invoke" OFF)
When enabled, it produces libsx.so / libsx.dylib / sx.dll for C# interop.
sx executable is the primary deliverable and the majority of functionality is consolidated through shared static libraries (sxutil, sxnet, sxui, sxterm). All executables are built from the same source tree with the same compiler flags.
Risk: LOW — Multiple executables is a reasonable design for a tool suite. Each executable is self-contained when statically linked.
find -name '.so' -o -name '.dll' -o -name '.dylib' -o -name '.a' -o -name '*.lib'
Result: NONE found ✅
Two pre-built ELF executables were found in bridge/:
| File | Architecture | Type | Size |
|---|---|---|---|
bridge/scorpiox-ws2tcp | x86-64 | ELF, dynamically linked | 39,760 bytes |
bridge/scorpiox-ws2tcp-arm64 | ARM aarch64 | ELF, dynamically linked | 74,024 bytes |
These are compiled versions of bridge/ws2tcp.c (42,153 bytes of C source). The source is present alongside the binaries, and the bridge/Makefile shows how to rebuild them:
$(TARGET): ws2tcp.c
$(CC) $(CFLAGS) -o $@ $< $(LDFLAGS)
Risk: MEDIUM — Pre-built binaries in a repository are a supply chain concern. While the source code is co-located and the Makefile allows verification builds, there is no automated mechanism to verify the checked-in binaries match the source. These binaries are dynamically linked (not static), which differs from the project's general static-linking philosophy.
Recommendation: Either remove the pre-built binaries and require building from source, or add a CI step that rebuilds and verifies hash consistency.
| Name | Domain | |
|---|---|---|
dev@scorpiox.net | scorpioxinc | scorpiox.net |
partner@scorpioplayer.com | ScorpioX | scorpioplayer.com |
pico@scorpiox.net | Pico | scorpiox.net |
picobot@scorpioplayer.com | Pico | scorpioplayer.com |
scorpiox@scorpiox.net | scorpiox | scorpiox.net |
sx@sx | sx | (local) |
All 6 unique author emails map to two related domains:
scorpiox.net — Primary organization domain (3 addresses)scorpioplayer.com — Related product domain (2 addresses)sx@sx — Likely a local/automation identitysx@sx local identity is common for automated commits.
| File | Library | License |
|---|---|---|
scorpiox/vendor/mbedtls/LICENSE | mbedTLS | Apache-2.0 OR GPL-2.0-or-later |
scorpiox/vendor/yyjson/LICENSE | yyjson | MIT |
scorpiox/vendor/
├── gnuwin64/ # Windows GNU tools download script (not compiled code)
│ ├── README.md
│ └── download.ps1
├── mbedtls/ # Vendored mbedTLS (TLS/crypto library)
│ ├── LICENSE
│ ├── sx_mbedtls_config.h # Custom minimal config
│ ├── include/ # Headers
│ └── library/ # Source files
└── yyjson/ # Vendored yyjson (JSON parser)
├── LICENSE
├── yyjson.c
└── yyjson.h
References to "third party" found in main source files (sx.c, sx_dll.c, sx_dll.h, scorpiox-busybox.c, sxmail_tls.c, sxmail_dkim.h, libsxnet/sx_frp.c) relate to the vendored mbedTLS usage and internal documentation — no additional hidden third-party code detected.
vendor/ directory.
| Finding | Risk Level | Details |
|---|---|---|
| Core C build — zero package manager deps | LOW ✅ | No npm/pip/cargo/go dependencies for core build |
| Vendored mbedTLS & yyjson | LOW ✅ | Source committed, auditable, properly licensed |
| Build system (CMake + system compiler) | LOW ✅ | No downloaded toolchains, standard build tools |
| Static linking default | LOW ✅ | Reduces runtime dependency surface |
| Code provenance (single org) | LOW ✅ | All 987 commits from ScorpioX organization |
| Build-time code generation (frozen) | LOW ✅ | Network calls disabled by default |
bridge/package.json (npm deps) | MEDIUM ⚠️ | 2 npm deps for peripheral WhatsApp bridge only |
Pre-built ELF binaries in bridge/ | MEDIUM ⚠️ | 2 pre-compiled binaries; source co-located but no hash verification |
| Multiple executables (~65) vs single binary | LOW ℹ️ | Design choice; each is self-contained when statically linked |
| System library dependencies (curl, SSL, etc.) | LOW ✅ | Standard system libraries, found at build time, not downloaded |
bridge/scorpiox-ws2tcp and bridge/scorpiox-ws2tcp-arm64 from source and verify checksums, or remove the pre-built binaries entirely.bridge/ to a separate repository or clearly documenting that it has different supply chain properties than the core C codebase.VENDOR_VERSIONS.md file documenting the exact versions/commits of mbedTLS and yyjson that are vendored, to facilitate future CVE tracking.bun.lock file is present, which is good. Consider adding integrity hashes if not already present.