f7f14b49ca77bfb07d31a819de0791445d3c02a5
Auditor: Security Audit Agent
Total Lines of Code: 369,495 (143,599 first-party + 225,896 vendored)
The ScorpioX codebase is a pure C project (~370K LOC) built with CMake and targeting multiple platforms (Linux, macOS, Windows, WASM). The project follows a vendored dependency model — the only third-party libraries (mbedtls and yyjson) are committed directly into the source tree under scorpiox/vendor/. There are no package manager fetches, no FetchContent/ExternalProject downloads, and no git submodules. The build system relies exclusively on the system compiler (gcc/clang) and system-provided libcurl. Code provenance analysis shows all 996 commits originate from ScorpioX organization email addresses. Two pre-built ELF binaries were found in the bridge/ directory, which is a medium-risk finding. A bridge/package.json with Node.js dependencies exists for a WhatsApp bridge component, which is an informational finding (not part of the C build).
| Package Manager File | Found? | Location | Notes |
|---|---|---|---|
package.json | YES | bridge/package.json | WhatsApp bridge (TypeScript/Bun), not part of the C build |
requirements.txt | No | — | — |
Cargo.toml | No | — | — |
go.mod / go.sum | No | — | — |
vcpkg.json | No | — | — |
conanfile.txt / .py | No | — | — |
Pipfile | No | — | — |
Gemfile | No | — | — |
pom.xml | No | — | — |
build.gradle | No | — | — |
.gitmodules | No | — | — |
package.json is in bridge/ for a standalone WhatsApp bridge component (@whiskeysockets/baileys, qrcode-terminal). This is a separate Node.js/TypeScript tool, not part of the C compilation pipeline.
Risk: LOW — The Node.js dependency file is isolated from the main C build and does not affect the compiled binaries.
The project uses CMake but contains zero instances of:
FetchContent — Not usedExternalProject — Not used file(DOWNLOAD ...) — Not usedThe only find_package() calls reference system-installed libraries:
find_package(Python3) — Build-time code generation onlyfind_package(CURL) — System libcurl (statically linked on Linux)find_package(Threads) — System pthreadsfind_package(X11) — Optional, for screenshot feature| Library | Version | License | Location | LOC |
|---|---|---|---|---|
| mbedtls | (source) | Apache-2.0 OR GPL-2.0+ | scorpiox/vendor/mbedtls/ | ~225K (108 .c, 159 .h files) |
| yyjson | (source) | MIT | scorpiox/vendor/yyjson/ | ~743K bytes (2 files: yyjson.c + yyjson.h) |
Both libraries are:
add_library(... STATIC ...))CMAKE_C_STANDARD 11)-O2 -DNDEBUGSX_STATIC_LINK ON)| Script | Purpose | Downloads Anything? | |
|---|---|---|---|
CMakeLists.txt (root) | Main build config | No | |
scorpiox/CMakeLists.txt | Library + executable definitions | No | |
release_macos_native.sh | macOS release build | No (requires pre-installed Xcode + cmake) | |
release.ps1 | Linux container build | No (uses pre-installed Alpine packages) | |
Dockerfile.build-musl | Alpine musl static build env | apk add only (system packages) | |
Dockerfile.linux-arm64 | ARM64 cross-build env | System packages only | |
release_whatsapp.ps1 | WhatsApp bridge build | YES — downloads Bun runtime via curl | bash |
release_whatsapp.ps1 line 82 executes curl -fsSL https://bun.sh/install | bash — a classic pipe-to-shell installation pattern. However, this is for the standalone WhatsApp bridge (TypeScript), not the core C binaries.
Risk: MEDIUM — The curl | bash pattern in release_whatsapp.ps1 is a supply chain risk for the WhatsApp bridge component. Not applicable to the core C build pipeline.
A Python script (tests/code_generator_models.py) generates sx_models_generated.h at build time. The CMake comment notes this is "FROZEN at opus-4-6" and does not fetch from the network by default. This is a compile-time code generation step, not a dependency download.
Current flags: -Wall -Wextra -O2
| Flag | Present? | Notes |
|---|---|---|
-Wall -Wextra | ✅ | Standard warnings enabled |
-Wformat=2 | ✅ (mbedtls) | Format string protection (vendor only) |
-static | ✅ (Linux) | Full static linking on Linux |
-fstack-protector-strong | ❌ | Not enabled — recommended |
-D_FORTIFY_SOURCE=2 | ❌ | Not enabled — recommended |
-fPIE / -pie | ❌ | Not explicitly set (may be compiler default) |
-Wl,-z,relro,-z,now | ❌ | Not set (N/A for static builds) |
-fstack-protector-strong, -D_FORTIFY_SOURCE=2) are absent. Recommended for future improvement.
The build produces multiple executables (not a single binary), all linked against internal static libraries:
Internal Static Libraries (8):sxutil — Utility/config librarysxnet — Network librarysxhttp — HTTP librarysxui — UI librarysxterm — Terminal librarysxbridge — Bridge libraryyyjson — JSON parser (vendored)mbedtls_lib — TLS library (vendored)scorpiox-bash, scorpiox-agent, scorpiox-config, scorpiox-server, scorpiox-email, scorpiox-gemini, scorpiox-openai, scorpiox-sdk, scorpiox-voice, scorpiox-mcp, scorpiox-beam, scorpiox-frp, scorpiox-host, etc.
On Linux (static build): Only libc (musl via Alpine static build achieves zero dynamic dependencies).
On the dynamically-linked bridge/scorpiox-ws2tcp binary:
linux-vdso.so.1
libc.so.6
/lib64/ld-linux-x86-64.so.2
System libcurl is statically linked into the binaries on Linux. On macOS, it links dynamically against system frameworks.
A sx_shared (SHARED) library target exists (sx_dll.c), but this appears to be a Windows DLL export wrapper, conditionally compiled. The primary build mode is fully static.
| Author | Commits | Percentage | |
|---|---|---|---|
| ScorpioX | dev@scorpiox.net | 623 | 62.6% |
| scorpiox | scorpiox@scorpiox.net | 366 | 36.7% |
| scorpioxinc | partner@scorpioplayer.com | 3 | 0.3% |
| Pico | picobot@scorpioplayer.com | 2 | 0.2% |
| sx | sx@sx | 1 | 0.1% |
| Pico | pico@scorpiox.net | 1 | 0.1% |
scorpiox.net — Primary development (99.4% of commits)scorpioplayer.com — Partner/bot contributions (0.5%)sx@sx — Likely a local dev alias (single commit)| File | Type | Size | Concern |
|---|---|---|---|
bridge/scorpiox-ws2tcp | ELF 64-bit x86-64, dynamically linked | 39,720 bytes | MEDIUM |
bridge/scorpiox-ws2tcp-arm64 | ELF 64-bit ARM aarch64, dynamically linked | 74,024 bytes | MEDIUM |
No .so, .dll, .dylib, .a, .lib, .o, or .exe files were found elsewhere in the repository.
bridge/. The source (bridge/ws2tcp.c — 1,234 LOC) and Makefile are present alongside them, suggesting they are convenience builds. However, there is no way to verify the checked-in binaries were built from the checked-in source without rebuilding.
Risk: MEDIUM — Pre-built binaries in a source repository are a supply chain risk. An attacker who compromises the repo could replace these with backdoored versions. Recommendation: Remove pre-built binaries from the repo; build them in CI instead, or provide reproducible build verification.
No .wasm files, no embedded base64 payloads (outside of mbedtls's standard PEM/base64 crypto module), and no obfuscated code detected.
| File | Library | License |
|---|---|---|
scorpiox/vendor/mbedtls/LICENSE | Mbed TLS | Apache-2.0 OR GPL-2.0+ |
scorpiox/vendor/yyjson/LICENSE | yyjson | MIT |
sx_mbedtls_config.h)scorpiox/vendor/gnuwin64/ — Contains only a README.md and download.ps1 script for fetching GNU coreutils on Windows. No pre-downloaded binaries.COPYING, NOTICE, or THIRD_PARTY files outside of vendor directory.grep for non-ScorpioX copyright headers in .c/.h files returned zero results outside of vendor.vendor/, licensed, and compiled from source.
| Finding | Risk Level | Description | |
|---|---|---|---|
| Zero package manager dependencies in C build | LOW ✅ | No npm/pip/cargo/go dependencies for core build | |
| Vendored mbedtls + yyjson (source) | LOW ✅ | Well-known libraries, committed as source with licenses | |
| No FetchContent / ExternalProject / submodules | LOW ✅ | Build does not download anything at compile time | |
| Static linking by default | LOW ✅ | Eliminates shared library hijacking | |
| Single-org commit provenance (996 commits) | LOW ✅ | All commits from scorpiox.net / scorpioplayer.com | |
| System libcurl (find_package) | LOW ✅ | Standard system library, statically linked on Linux | |
Pre-built ELF binaries in bridge/ | MEDIUM ⚠️ | 2 pre-compiled binaries checked into repo | |
curl \ | bash in WhatsApp release script | MEDIUM ⚠️ | Supply chain risk for WhatsApp bridge (not core C build) |
bridge/package.json (Node.js deps) | INFO ℹ️ | Isolated WhatsApp bridge, not part of C build | |
| Missing compiler hardening flags | LOW-MEDIUM ⚠️ | No -fstack-protector-strong, -D_FORTIFY_SOURCE=2 |
bridge/ — build scorpiox-ws2tcp and scorpiox-ws2tcp-arm64 in CI or add a make step to the release process.-fstack-protector-strong -D_FORTIFY_SOURCE=2 to CMAKE_C_FLAGS.curl | bash in release_whatsapp.ps1 with a pinned, hash-verified download of the Bun runtime.THIRD_PARTY.md file documenting vendored library versions and their upstream commit hashes for audit traceability.VERSIONS file).| Category | C Files | H Files | Total LOC |
|---|---|---|---|
| First-party (scorpiox/) | — | — | 143,599 |
| Vendor: mbedtls | 108 | 159 | ~225K |
| Vendor: yyjson | 1 | 1 | ~743KB |
| Bridge (ws2tcp.c) | 1 | 0 | 1,234 |
| Total | — | — | 369,495 |
The build produces approximately 50+ individual executables, all statically linked against internal libraries (sxutil, sxnet, sxhttp, sxui, sxterm, sxbridge) and vendored libraries (mbedtls, yyjson). The architecture is a multi-binary CLI toolkit rather than a single monolithic binary.