📄 02-network.md
⬇ Download Raw

Network Communications Security Audit Report

Project: scorpiox/clang Audit Date: 2026-04-28 Auditor: Security Audit Agent Scope: All network communications, endpoints, protocols, and telemetry in the codebase (493 .c/.h files, 224 non-vendor)

1. Network Activity Summary

The scorpiox codebase is a network-intensive application consisting of an AI coding agent platform with multiple LLM provider integrations, infrastructure tooling, and supporting services. Network activity falls into these categories:

CategoryDescriptionRisk Level
AI Provider APIsHTTP/HTTPS to Anthropic, OpenAI, Google Gemini, Z.AIMedium
OAuth Token AcquisitionToken refresh via HTTP, SSH, raw TCPHigh
Telemetry / Usage TrackingUsage stats and session events sent to code.scorpiox.netMedium
Software DistributionDownloads from dist.scorpiox.netMedium
Reverse Proxy (FRP)TCP+TLS connections to frps servers with yamux multiplexingHigh
SMTP EmailOutbound email delivery via SMTP/STARTTLSMedium
DNS ServerUDP/TCP DNS on port 53 with upstream forwardingMedium
Web SearchHTML scraping of search engines (Mojeek, Brave)Low
HTTP RelayTCP binary protocol proxy for HTTP requestsMedium
WebSocket BridgeWS-to-TCP bridge for VNC (ws2tcp)Medium
Unix Domain SocketsLocal IPC for sxmux session managementLow
HTTP ServerEmbedded web server with JWT auth (scorpiox-server)Medium
Voice/WhisperAudio transcription API callsLow

2. Endpoint Inventory

2.1 Hardcoded Production Endpoints

URL / HostPortProtocolSource FilePurposeUser-Initiated
https://api.anthropic.com/v1/messages443HTTPSsx_provider_anthropic.c, sx_provider_claude_code.cAnthropic Claude APIYes
https://api.anthropic.com/v1/messages?beta=true443HTTPSsx_provider_claude_code_wasm.cClaude Code API (WASM)Yes
https://api.anthropic.com/v1/models443HTTPSscorpiox-claudecode-models.cModel listingYes
https://api.openai.com/v1/chat/completions443HTTPSsx_provider_openai_wasm.cOpenAI APIYes
https://chatgpt.com/backend-api/codex/responses443HTTPSsx_provider_codex.cOpenAI Codex APIYes
https://auth.openai.com/oauth/token443HTTPSscorpiox-codex-refreshtoken.cOpenAI OAuth refreshAutomatic
https://console.anthropic.com/v1/oauth/token443HTTPSscorpiox-claudecode-refreshtoken.cAnthropic OAuth refreshAutomatic
https://generativelanguage.googleapis.com/v1beta443HTTPSsx_provider_gemini_wasm.cGoogle Gemini APIYes
https://api.z.ai/api/anthropic/v1/messages443HTTPSsx_config_embedded.cZ.AI proxy endpointYes
https://code.scorpiox.net/usage-send443HTTPSscorpiox-usage.cUsage telemetryAutomatic
https://code.scorpiox.net/sessions-send443HTTPSscorpiox-emit-session.cSession event telemetryAutomatic
https://dist.scorpiox.net/container-images/443HTTPSscorpiox-wsl.c, scorpiox-vm.c, scorpiox-unshare.cContainer image downloadsUser-Initiated
https://dist.scorpiox.net/executables/443HTTPSscorpiox-wsl.c, scorpiox-whatsapp.cBinary updates/downloadsAutomatic
https://dist.scorpiox.net/firmware/443HTTPSscorpiox-vm.cBIOS firmware downloadUser-Initiated
https://dist.scorpiox.net/scorpiox/443HTTPSsx_config_embedded.cSoftware distributionUser-Initiated
https://dist.scorpiox.net/scorpiox/index.txt443HTTPSsx_config_embedded.cPackage indexAutomatic
https://whisper.scorpiox.net/443HTTPSscorpiox-voice.cVoice transcription APIYes
https://opus.scorpiox.net443HTTPSsx_config_embedded.cOpenAI-compat endpointYes
https://qwen3-coder-next.scorpiox.net443HTTPSsx_config_embedded.cQwen model endpointYes
https://login.scorpiox.net/443HTTPSscorpiox-server.cJWT issuer (validation)N/A
https://scorpiox.net/api443HTTPSscorpiox-server.cJWT audience (validation)N/A
https://git.scorpiox.net443HTTPSscorpiox-mirror-git.cGit serverUser-Initiated
https://www.mojeek.com/search443HTTPSscorpiox-websearch.cWeb searchYes
https://search.brave.com/search443HTTPSscorpiox-websearch.cWeb searchYes
http://scorpiox.net:51765176HTTPsx_config_embedded.cRouter URL (plaintext!)Yes
http://token.scorpiox.net/claude80HTTPsx_config_embedded.cToken endpoint (plaintext!)Automatic
http://token.scorpiox.net/codex80HTTPsx_config_embedded.cToken endpoint (plaintext!)Automatic
http://token.scorpiox.net/gemini80HTTPsx_config_embedded.cToken endpoint (plaintext!)Automatic
registry.scorpiox.net443HTTPSsx_config_embedded.cContainer registryUser-Initiated
relay.scorpiox.net9801TCPsx_config_embedded.cHTTP relay serverAutomatic
anthropic.scorpiox.net443HTTPSsx_config_embedded.cAnthropic proxyYes

2.2 Hardcoded Internal/Private IPs

IP AddressPortSource FilePurposeRisk
20.53.240.549800sx_config_embedded.cTCP token server (public Azure IP)HIGH – Hardcoded in WASM binary
192.168.1.128045sx_config_embedded.cAntigravity API proxy (LAN)Medium – Internal exposure
192.168.1.3N/Asx_config_embedded.cTMux remote host (SSH/SMB)Medium – Internal exposure
192.168.1.622223sx_config_embedded.cClaude Code SSH hostHIGH – SSH credentials hardcoded
192.168.1.605900bridge/ws2tcp.cVNC target (example/default)Low
192.168.1.2048045sx_config_embedded.cAntigravity API alt. endpointMedium
127.0.0.1VariousMultiple filesLoopback (relay, proxy)Low
8.8.8.853scorpiox-dns.c, scorpiox-unshare.cGoogle DNS upstreamLow
1.1.1.153scorpiox-dns.c, scorpiox-unshare.cCloudflare DNS upstreamLow

2.3 Hardcoded Credentials in Embedded Config

CredentialValue (Partial)FileRisk
ANTHROPIC_ANTIGRAVITY_KEYsk-6088a10d...sx_config_embedded.cCRITICAL – API key in source
ANTHROPIC_ZAI_KEY9c6fba5d...ue19jY48d9GmddqXsx_config_embedded.cCRITICAL – API key in source
GEMINI_API_KEYAIzaSyDsvlLn...8IQHVA8sx_config_embedded.cCRITICAL – API key in source
CLAUDE_CODE_SSH_PASSxboxonesx_config_embedded.cCRITICAL – SSH password in source
CLAUDE_CODE_SSH_USERrootsx_config_embedded.cHIGH – Root SSH access

3. Protocol Analysis

3.1 HTTP/HTTPS (libcurl + WASM fetch)

Implementation: sx_http.c (native via libcurl), sx_http_wasm.c (browser fetch API)

3.2 Raw TCP Socket

Implementation: scorpiox-claudecode-fetchtoken.c

3.3 FRP Reverse Proxy

Implementation: sx_frp.c (2118 lines)

3.4 SMTP (Email)

Implementation: scorpiox-email.c (libcurl), sxmail_queue.c (native SMTP client)

3.5 DNS Server

Implementation: scorpiox-dns.c

3.6 HTTP Server

Implementation: scorpiox-server.c (3174 lines)

3.7 WebSocket Bridge

Implementation: bridge/ws2tcp.c

3.8 HTTP Relay

Implementation: sx_http_relay.c

3.9 Unix Domain Sockets

Implementation: sxmux_session.c

4. Telemetry Assessment

Classification: MODERATE — Opt-in with sensible defaults

4.1 Usage Tracking (scorpiox-usage.c)

AspectDetail
Endpointhttps://code.scorpiox.net/usage-send
DefaultDISABLED (USAGE_TRACKING=0)
TriggerFire-and-forget from agent loop
Data SentSession ID, provider, model, input/output tokens, cache tokens, tier, project name, git branch
Machine Metadatahostname, username, OS, arch, OS version, scorpiox version
Opt-outSet USAGE_TRACKING=0 in scorpiox-env.txt

4.2 Session Event Telemetry (scorpiox-emit-session.c)

AspectDetail
Endpointhttps://code.scorpiox.net/sessions-send
DefaultDISABLED (EMIT_SESSION_TRACKING=0)
TriggerFire-and-forget per message
Data SentSession ID, message sequence, type (user/assistant/tool), message text, provider, model, project, branch
Machine Metadatahostname, username, OS, arch, OS version
RiskHIGH when enabled — full conversation content transmitted
Opt-outSet EMIT_SESSION_TRACKING=0 in scorpiox-env.txt

4.3 Cache Keepalive (sx_cache_keepalive.c)

4.4 Software Update Checks


5. TLS/SSL Security Analysis

5.1 Certificate Verification

ComponentTLS LibraryCert VerificationRisk
HTTP Client (native)libcurl + system TLSSystem CA bundle (default)Low
HTTP Client (WASM)Browser TLSBrowser CA storeLow
FRP Reverse ProxymbedTLSVERIFY_NONE ⚠️HIGH
SMTP RelaymbedTLSVERIFY_NONE ⚠️HIGH
SMTP Server (sxmail_tls.c)mbedTLSVERIFY_NONE ⚠️HIGH
Raw TCP Token FetchNoneNo TLS at all ⚠️CRITICAL

5.2 Specific TLS Findings

  • sx_frp.c:1105mbedtls_ssl_conf_authmode(conf, MBEDTLS_SSL_VERIFY_NONE)
  • - FRP client skips all certificate verification.

    - Vulnerable to MITM attacks on the control channel.

  • sxmail_queue.c:532mbedtls_ssl_conf_authmode(&tls->conf, MBEDTLS_SSL_VERIFY_NONE)
  • - SMTP relay TLS skips cert verification. Comment says "relay is trusted".

    - Vulnerable to MITM on outbound email relay connections.

  • sxmail_tls.c:185mbedtls_ssl_conf_authmode(&c->conf, MBEDTLS_SSL_VERIFY_NONE)
  • - SMTP server TLS connection skips verification.

  • Token fetch over raw TCPscorpiox-claudecode-fetchtoken.c
  • - OAuth tokens transmitted over unencrypted TCP to 20.53.240.54:9800.

    - No integrity or confidentiality protection.

    5.3 TLS Version


    6. Data Flow Diagrams

    6.1 AI Provider Request Flow

    User Input
    

    ┌──────────┐ JSON/HTTPS ┌────────────────────────────┐

    │ sx.c │ ──────────────► │ api.anthropic.com │

    │ (agent) │ ◄────────────── │ api.openai.com │

    └──────────┘ SSE stream │ generativelanguage.google │

    │ │ chatgpt.com │

    │ │ api.z.ai │

    ▼ └────────────────────────────┘

    Display Response

    6.2 Token Acquisition Flow

                            ┌──────────────────────────────────────┐
    

    │ Token Source (configurable) │

    │ │

    ┌─────────┐ TCP │ ① Raw TCP → 20.53.240.54:9800 │

    │fetchtoken│ ◄───────│ ② HTTP → token.scorpiox.net │

    │ exe │ SSH │ ③ SSH → 192.168.1.6:22223 │

    │ │ ◄───────│ ④ Local → ~/.claude/.credentials│

    └─────────┘ File │ ⑤ Config → scorpiox-env.txt │

    │ └──────────────────────────────────────┘

    OAuth Token → Provider API

    6.3 Telemetry Flow

      ┌──────────┐                    ┌─────────────────────┐
    

    │ sx.c │ fire-and-forget │ code.scorpiox.net │

    │ (agent) │ ──────────────────►│ /usage-send │

    │ │ POST JSON/HTTPS │ /sessions-send │

    └──────────┘ └─────────────────────┘

    │ │

    │ Collects: │ Receives:

    │ • session_id │ • token usage stats

    │ • hostname, username │ • conversation content

    │ • os, arch │ • machine fingerprint

    │ • provider, model │

    │ • token counts │

    │ • message content (sessions) │

    6.4 FRP Reverse Proxy Flow

      ┌───────────────┐   TCP+TLS(no verify)   ┌──────────┐
    

    │ sx_frp.c │ ◄─────────────────────► │ frps │

    │ (frpc client) │ yamux multiplexing │ server │

    └───────┬───────┘ AES-128-CFB crypto └────┬─────┘

    │ │

    │ local:127.0.0.1:port │ remote:port

    ▼ ▼

    Local Service Remote Access


    7. DNS Resolution Analysis

    CallerDomain ResolvedMethodPurpose
    sx_frp.cserver_addr (config)getaddrinfo()FRP server connection
    sx_http_relay.crelay_host (config)getaddrinfo()HTTP relay connection
    sxmail_queue.cMX records for domainsgetaddrinfo() on port 25Email delivery
    sxmail_queue.cSMTP relay hostgetaddrinfo()Relay email delivery
    scorpiox-claudecode-fetchtoken.cTCP_HOST (config)getaddrinfo()Token server
    sxmail_maildir.clocal hostnamegethostname()Maildir unique names
    sx_frp.clocal hostnamegethostname()FRP login metadata
    scorpiox-dns.cupstream DNSinet_pton()DNS forwarding
    libcurl (various)API hostnamesInternal resolverAll HTTPS requests
    Note: A DNS_AUDIT_LOG config option exists (default: disabled) for logging DNS queries to /var/log/scorpiox-dns.

    8. Data Exfiltration Pattern Analysis

    8.1 Potential Patterns Found

    PatternLocationRisk Assessment
    Machine fingerprinting + HTTP POSTscorpiox-usage.cSends hostname, username, OS, arch. Low risk if user opts in.
    Full conversation content + HTTP POSTscorpiox-emit-session.cSends complete message text when enabled. High risk when enabled.
    Base64 encoding + networksxmail_queue.c, sxmail_dkim.cUsed for SMTP AUTH PLAIN and DKIM signing — legitimate email use.
    Base64 encoding + terminalsx_term.cUsed for terminal clipboard (OSC 52) — local only.
    File read + HTTP POSTscorpiox-emit-session.c--file flag reads file content and POSTs it. Medium risk — user-initiated.
    Token file read + TCP sendscorpiox-claudecode-fetchtoken.cReads OAuth credentials and uses them — normal auth flow.
    Git credentials in URLsscorpiox-server.c, scorpiox-mirror-git.cPAT tokens embedded in HTTPS URLs for git operations.

    8.2 No Covert Exfiltration Found

    No patterns of covert data exfiltration were identified. All network transmissions serve documented purposes and are either user-initiated or controlled by explicit configuration flags.


    9. Risk Assessment

    9.1 Critical Findings

    #FindingSeverityLocation
    C1API keys hardcoded in WASM binary — Anthropic, Z.AI, and Gemini API keys embedded in sx_config_embedded.cCRITICALsx_config_embedded.c
    C2SSH credentials in source — root password "xboxone" for 192.168.1.6:22223CRITICALsx_config_embedded.c
    C3OAuth tokens over plaintext TCP — tokens fetched via raw TCP (no TLS) from 20.53.240.54:9800CRITICALscorpiox-claudecode-fetchtoken.c

    9.2 High Findings

    #FindingSeverityLocation
    H1TLS certificate verification disabled on all mbedTLS connections (FRP, SMTP relay, SMTP server)HIGHsx_frp.c:1105, sxmail_queue.c:532, sxmail_tls.c:185
    H2Token endpoints over plaintext HTTP — token.scorpiox.net/claude, /codex, /gemini use HTTP not HTTPSHIGHsx_config_embedded.c
    H3Router URL over plaintext HTTPhttp://scorpiox.net:5176 for AI routingHIGHsx_config_embedded.c
    H4FRP auth uses MD5 — cryptographically broken hash for authenticationHIGHsx_frp.c
    H5FRP encryption uses PBKDF2 with 64 iterations — far below recommended minimum (600,000 for PBKDF2-SHA1)HIGHsx_frp.c
    H6Session telemetry sends full conversation content when EMIT_SESSION_TRACKING=1HIGHscorpiox-emit-session.c
    H7Private network IPs hardcoded in WASM binary (192.168.1.x network topology exposed)HIGHsx_config_embedded.c

    9.3 Medium Findings

    #FindingSeverityLocation
    M1Usage telemetry sends machine fingerprint (hostname, username, OS)MEDIUMscorpiox-usage.c
    M2Auto-update mechanism downloads executables without integrity verification (no signature checking)MEDIUMscorpiox-wsl.c, scorpiox-whatsapp.c
    M3Git PAT tokens embedded in clone URLs (visible in process list, logs)MEDIUMscorpiox-server.c
    M4Cache keepalive generates ongoing billable API trafficMEDIUMsx_cache_keepalive.c
    M5HTTP relay uses custom binary protocol without authenticationMEDIUMsx_http_relay.c
    M6SMTP AUTH PLAIN sends credentials in base64 (trivially decodable)MEDIUMsxmail_queue.c

    9.4 Low Findings

    #FindingSeverityLocation
    L1DNS server defaults to Google/Cloudflare upstream (privacy implication)LOWscorpiox-dns.c
    L2WebSocket bridge has no authentication mechanismLOWbridge/ws2tcp.c
    L3Traffic logging writes raw HTTP request/response bodies to diskLOWMultiple provider files

    10. Recommendations

  • Rotate all embedded credentials immediately — API keys, SSH passwords in sx_config_embedded.c are compromised by being in source code.
  • Enable TLS certificate verification on all mbedTLS connections — replace MBEDTLS_SSL_VERIFY_NONE with MBEDTLS_SSL_VERIFY_REQUIRED and load CA certificates.
  • Upgrade token fetch to HTTPS — replace raw TCP token acquisition with TLS-secured transport.
  • Upgrade token.scorpiox.net and router URL to HTTPS — all authentication-related traffic must be encrypted.
  • Replace MD5 in FRP auth with SHA-256 or better.
  • Increase PBKDF2 iterations in FRP from 64 to at least 600,000.
  • Add binary signature verification for auto-update downloads.
  • Remove private network IPs from the WASM embedded config.
  • Add integrity checking (checksums/signatures) for downloaded container images and firmware.
  • Document all network endpoints in user-facing documentation so users can configure firewalls appropriately.

  • 11. Appendix: Complete File-to-Network-Function Mapping

    Files with Direct Socket Operations

    FileFunctions Used
    sx_frp.csocket(), connect(), send(), recv(), getaddrinfo(), setsockopt(), close()
    sxmux_session.csocket(AF_UNIX), bind(), listen(), accept(), connect()
    sxmail_queue.csocket(), connect(), send(), recv(), getaddrinfo()
    sxmail_smtp.caccept(), send(), recv()
    bridge/ws2tcp.csocket(), bind(), listen(), accept(), connect(), epoll_*()
    scorpiox-server.csocket(), bind(), listen(), accept(), setsockopt()
    scorpiox-dns.csocket(), bind(), sendto(), recvfrom()
    scorpiox-claudecode-fetchtoken.csocket(), connect(), recv(), getaddrinfo()
    sx_http_relay.csocket(), connect(), send(), recv(), getaddrinfo()

    Files Using libcurl (via sx_http.c)

    FilePurpose
    sx_provider_anthropic.cAnthropic API calls
    sx_provider_claude_code.cClaude Code API calls
    sx_provider_codex.cCodex API calls
    sx_claude.cScorpiox router API calls
    scorpiox-usage.cTelemetry
    scorpiox-emit-session.cSession telemetry
    scorpiox-voice.cWhisper API
    scorpiox-email.cSMTP via libcurl
    scorpiox-claudecode-refreshtoken.cOAuth token refresh
    scorpiox-codex-refreshtoken.cOAuth token refresh

    Report generated by Security Audit Agent — 2026-04-28