📄 02-network.md
⬇ Download Raw

Network Communications Audit Report

Codebase: scorpiox/clang Audit Date: 2026-04-28 Auditor: Security Audit Agent Scope: All network communications, endpoints, protocols, and telemetry in 224 non-vendor C/H source files (~143,309 LOC)

1. Executive Summary

The scorpiox codebase is a heavily networked application with extensive outbound HTTP/HTTPS communications to multiple AI provider APIs, internal infrastructure services, and external search engines. It also includes inbound server components (SMTP, IMAP, HTTP, WebSocket, TCP) and infrastructure networking (FRP reverse proxy, container networking via slirp4netns, Unix domain sockets for IPC).

Key Findings

CategorySeverityFinding
TLS Certificate Validation🔴 CRITICALSSL/TLS certificate verification is disabled in 8 locations across the codebase
Hardcoded Credentials🔴 CRITICALAPI keys, SSH passwords, and proxy tokens are embedded in source code
Plaintext Token Transport🟠 HIGHOAuth tokens fetched via raw TCP (no TLS) on port 9800
Telemetry🟡 MEDIUMUsage tracking and session telemetry endpoints exist (disabled by default in native, configurable)
Broad Network Surface🟡 MEDIUMBinary can communicate with 20+ distinct external endpoints
No Certificate Pinning🟡 MEDIUMNo certificate pinning on any API connections

2. Network Activity Summary

2.1 Outbound Communications (Client-Initiated)

The application makes outbound network connections for the following purposes:

  • AI Provider API Calls — Primary function; sends user prompts/tool results, receives AI completions
  • Token Fetching — OAuth token retrieval via HTTP, SSH, or raw TCP
  • Usage Telemetry — Posts token usage statistics and session events to scorpiox.net
  • Web Search — Queries search engines (Mojeek, Brave, DuckDuckGo, Google, Bing, Yahoo, Yandex, Startpage, Ecosia, Qwant, Searx)
  • Voice Transcription — Sends audio to Whisper API endpoint
  • Distribution Downloads — Fetches container images, executables, firmware, self-updates
  • URL Fetching — General-purpose HTTP fetcher for ReadDocs tool
  • FRP Reverse Proxy — Connects to FRP server for reverse tunneling
  • Email Relay — Outbound SMTP relay via smarthost
  • MX Delivery — Direct SMTP delivery to remote mail servers
  • Git Operations — Clone/push via HTTPS with embedded PAT tokens
  • 2.2 Inbound Communications (Server Components)

    The codebase includes several server components that listen for inbound connections:

    ComponentPort(s)ProtocolPurpose
    scorpiox-server8080 (configurable)HTTPScript execution server with JWT auth
    scorpiox-server-email25, 587, 993SMTP/IMAPFull email server
    scorpiox-server-fetchtoken9800Raw TCPToken distribution proxy
    scorpiox-server-http2tcp9801HTTP-over-TCPHTTP relay server
    ws2tcp bridge6080WebSocketWebSocket-to-TCP proxy (VNC)
    sxmux sessionsUnix socketUnix domainTerminal multiplexer IPC

    2.3 Internal Communications (IPC)

    MechanismLocationPurpose
    Unix domain socketssxmux_session.cTerminal multiplexer client-server
    Named pipes (Windows)sxmux_session.cWindows equivalent of Unix sockets
    Raw TCP socketsx_http_relay.cHTTP relay when curl unavailable
    Slirp4netns API socketscorpiox-unshare.cContainer port forwarding

    3. Endpoint Inventory

    3.1 AI Provider Endpoints

    EndpointProtocolSource FilePurposeAuth Method
    https://api.anthropic.com/v1/messagesHTTPSsx_provider_anthropic.c, sx_provider_claude_code.cAnthropic Messages APIAPI key / OAuth Bearer
    https://api.anthropic.com/v1/messages?beta=trueHTTPSsx_provider_claude_code.c, sx_provider_claude_code_wasm.cClaude Code API (beta)OAuth Bearer
    https://api.anthropic.com/v1/modelsHTTPSscorpiox-claudecode-models.cModel listingOAuth Bearer
    https://api.z.ai/api/anthropicHTTPSsx_provider_anthropic.cZ.AI proxyAPI key
    https://api.z.ai/api/anthropic/v1/messagesHTTPSsx_config_embedded.cZ.AI proxy (embedded)API key
    http://192.168.1.12:8045/v1/messagesHTTP ⚠️sx_config_embedded.cAntigravity proxy (LAN)API key
    https://api.openai.com/v1/chat/completionsHTTPSsx_provider_openai_wasm.cOpenAI APIAPI key
    https://chatgpt.com/backend-api/codex/responsesHTTPSsx_provider_codex.cOpenAI Codex APIOAuth
    https://generativelanguage.googleapis.com/v1betaHTTPSsx_provider_gemini_wasm.cGoogle Gemini APIAPI key
    https://opus.scorpiox.netHTTPSsx_config_embedded.cOpenAI-compatible proxyAPI key
    https://qwen3-coder-next.scorpiox.netHTTPSscorpiox-openai.cQwen3 proxyAPI key

    3.2 ScorpioX Infrastructure Endpoints

    EndpointProtocolSource FilePurpose
    http://scorpiox.net:5176HTTP ⚠️sx_config_embedded.cRouter URL
    http://token.scorpiox.net/claudeHTTP ⚠️sx_config.c, sx_config_embedded.cClaude Code token fetch
    http://token.scorpiox.net/codexHTTP ⚠️sx_config.c, sx_config_embedded.cCodex token fetch
    http://token.scorpiox.net/geminiHTTP ⚠️sx_config.c, sx_config_embedded.cGemini token fetch
    https://code.scorpiox.net/usage-sendHTTPSscorpiox-usage.c, sx_config_embedded.cUsage telemetry
    https://code.scorpiox.net/sessions-sendHTTPSscorpiox-emit-session.c, sx_config_embedded.cSession telemetry
    https://dist.scorpiox.net/container-images/HTTPSscorpiox-wsl.c, scorpiox-vm.c, scorpiox-unshare.cContainer image downloads
    https://dist.scorpiox.net/executables/HTTPSscorpiox-wsl.c, sx_bridge.cExecutable updates
    https://dist.scorpiox.net/firmware/HTTPSscorpiox-vm.cVM BIOS/firmware
    https://dist.scorpiox.net/scorpiox/HTTPSsx_config.cDistribution packages
    https://dist.scorpiox.net/scorpiox/index.txtHTTPSsx_config.cPackage index
    https://whisper.scorpiox.net/HTTPSscorpiox-voice.cVoice transcription
    https://login.scorpiox.net/HTTPSscorpiox-server.cJWT issuer
    https://git.scorpiox.netHTTPSsx_config_embedded.cGit server
    registry.scorpiox.netHTTPSsx_config_embedded.cContainer registry
    anthropic.scorpiox.netHTTPSsx_provider_claude_code.cAnthropic API proxy
    relay.scorpiox.net:9801TCPsx_config_embedded.cHTTP relay server
    proxy.scorpiox.net:9800TCPsx_config.cToken proxy

    3.3 OAuth Token Endpoints

    EndpointProtocolSource FilePurpose
    https://console.anthropic.com/v1/oauth/tokenHTTPSscorpiox-claudecode-refreshtoken.cClaude OAuth token refresh
    https://auth.openai.com/oauth/tokenHTTPSscorpiox-codex-refreshtoken.cCodex OAuth token refresh

    3.4 Web Search Endpoints

    EndpointProtocolSource FilePurpose
    https://www.mojeek.com/searchHTTPSscorpiox-websearch.cMojeek search
    https://search.brave.com/searchHTTPSscorpiox-websearch.cBrave search
    https://html.duckduckgo.com/html/HTTPSsx_agent_tools_wasm.cDuckDuckGo search
    https://www.google.com/searchHTTPSConfig templatesGoogle search
    https://www.bing.com/searchHTTPSConfig templatesBing search
    https://search.yahoo.com/searchHTTPSConfig templatesYahoo search
    https://yandex.com/search/HTTPSConfig templatesYandex search
    https://www.startpage.com/sp/searchHTTPSConfig templatesStartpage search
    https://www.ecosia.org/searchHTTPSConfig templatesEcosia search
    https://www.qwant.com/HTTPSConfig templatesQwant search
    https://searx.be/searchHTTPSConfig templatesSearX search

    3.5 Hardcoded Internal IPs

    IP AddressPortSource FilePurpose
    192.168.1.128045sx_config_embedded.cAntigravity proxy (LAN)
    192.168.1.3sx_config_embedded.cTMux remote host / SMB share
    192.168.1.622223sx_config_embedded.cClaude Code SSH host
    20.53.240.549800sx_config_embedded.cTCP token proxy (Azure IP)
    127.0.0.1VariousMultipleLoopback/local relay
    10.0.2.3scorpiox-unshare.cSlirp4netns DNS

    4. Protocol Analysis

    4.1 HTTP/HTTPS (libcurl)

    Implementation: sx_http.c wraps libcurl for all HTTP requests via sx_http_request(). Relay Mode: When HTTP_RELAY=1, all HTTP requests are serialized over a custom SXH1 binary protocol via plain TCP to relay.scorpiox.net:9801, eliminating curl/TLS dependencies on the client side. The relay server performs the actual HTTPS request.

    4.2 Raw TCP

    Token Fetching (scorpiox-claudecode-fetchtoken.c, scorpiox-codex-fetchtoken.c, scorpiox-gemini-fetchtoken.c): HTTP Relay (sx_http_relay.c):

    4.3 SMTP/IMAP (Email Server)

    Inbound SMTP (sxmail_smtp.c): Inbound IMAP (sxmail_imap.c): Outbound SMTP (sxmail_queue.c):

    4.4 FRP Reverse Proxy (sx_frp.c)

    4.5 WebSocket (ws2tcp.c)

    4.6 Unix Domain Sockets (sxmux_session.c)

    4.7 Container Networking (scorpiox-unshare.c)


    5. Telemetry Assessment

    Rating: MODERATE — Two opt-in telemetry systems exist

    5.1 Usage Tracking (scorpiox-usage.c)

    - Session ID

    - Provider name (claude, gemini, openai)

    - Model name

    - Token counts (input, output, cache_read, cache_write)

    - Service tier

    - Project name (basename of cwd)

    - Git branch (auto-detected)

    - Machine metadata: hostname, username, OS, arch, OS version, scorpiox version

    5.2 Session Event Tracking (scorpiox-emit-session.c)

    - Session ID + sequence number

    - Message type (user, assistant, tool_call, tool_result, error, thinking, system_prompt)

    - Full message text (up to 1MB from file)

    - Provider and model name

    - Project name, git branch

    - Machine metadata: hostname, username, OS, arch

    5.3 Cache Keep-Alive (sx_cache_keepalive.c)

    5.4 Traffic Logging


    6. TLS/SSL Security Analysis

    6.1 Certificate Verification Disabled — 🔴 CRITICAL

    Certificate verification is explicitly disabled in 8 locations:

    FileLineCodeContext
    sxmail_tls.c185MBEDTLS_SSL_VERIFY_NONEEmail server TLS (inbound SMTP/IMAP)
    sxmail_queue.c532MBEDTLS_SSL_VERIFY_NONEOutbound SMTP relay TLS client
    sx_frp.c1105MBEDTLS_SSL_VERIFY_NONEFRP reverse proxy TLS
    scorpiox-gemini-fetchtoken.c125-126CURLOPT_SSL_VERIFYPEER=0, CURLOPT_SSL_VERIFYHOST=0Gemini token fetcher
    scorpiox-email.c342-343CURLOPT_SSL_VERIFYPEER=0, CURLOPT_SSL_VERIFYHOST=0Email sending via curl
    scorpiox-codex-refreshtoken.c464-465CURLOPT_SSL_VERIFYPEER=0, CURLOPT_SSL_VERIFYHOST=0Codex OAuth token refresh
    scorpiox-codex-fetchtoken.c437-438CURLOPT_SSL_VERIFYPEER=0, CURLOPT_SSL_VERIFYHOST=0Codex token fetcher
    scorpiox-claudecode-refreshtoken.c341-342CURLOPT_SSL_VERIFYPEER=0, CURLOPT_SSL_VERIFYHOST=0Claude OAuth token refresh
    scorpiox-claudecode-fetchtoken.c341-342CURLOPT_SSL_VERIFYPEER=0, CURLOPT_SSL_VERIFYHOST=0Claude token fetcher
    scorpiox-traffic.c979setenv("CURLOPT_SSL_VERIFYPEER", "0", 1)Traffic capture proxy
    Impact: All token fetch/refresh operations and email TLS are vulnerable to man-in-the-middle attacks. An attacker on the network path could intercept OAuth tokens, API keys, and email credentials.

    6.2 TLS Version

    6.3 CA Bundle

    6.4 Podman Registry


    7. Data Flow Diagrams

    7.1 AI Provider Request Flow

    User Input
    

    sx.c (main loop)

    ├──► sx_provider_*.c (build JSON request)

    │ │

    │ ▼

    │ sx_http.c / sx_http_relay.c

    │ │

    │ ├──[HTTP_RELAY=0]──► libcurl ──► HTTPS ──► api.anthropic.com

    │ │ api.openai.com

    │ │ generativelanguage.googleapis.com

    │ │

    │ └──[HTTP_RELAY=1]──► TCP:9801 ──► relay.scorpiox.net ──► target API

    ├──► scorpiox-usage (fire-and-forget)

    │ │

    │ └──► HTTPS POST ──► code.scorpiox.net/usage-send

    └──► scorpiox-emit-session (fire-and-forget, if enabled)

    └──► HTTPS POST ──► code.scorpiox.net/sessions-send

    7.2 Token Acquisition Flow

    Provider init (needs OAuth token)
    

    ├──[TOKEN_MODE_LOCAL]──► Read ~/.claude/.credentials.json

    ├──[TOKEN_MODE_REMOTE]──► HTTP GET ──► token.scorpiox.net/claude

    │ token.scorpiox.net/codex

    │ token.scorpiox.net/gemini

    ├──[TOKEN_MODE_SSH]──► SSH ──► remote_host ──► cat ~/.claude/.credentials.json

    │ (uses scorpiox-sshpass with hardcoded password "xboxone")

    └──[TOKEN_MODE_TCP]──► Raw TCP ──► proxy.scorpiox.net:9800

    (20.53.240.54:9800)

    ⚠️ PLAINTEXT — tokens in cleartext

    7.3 Email Data Flow

    Inbound:
    

    Remote MTA ──► TCP:25 ──► sxmail_smtp.c (EHLO/AUTH/STARTTLS)

    Remote MUA ──► TCP:587 ──► sxmail_smtp.c (submission, AUTH required)

    sxmail_queue.c (local store)

    Remote MUA ──► TCP:993 ──► sxmail_imap.c (TLS, FETCH/SELECT/SEARCH)

    Outbound:

    sxmail_queue.c ──► MX lookup (getaddrinfo) ──► TCP:25 ──► Remote MX

    └──► Smarthost relay (TLS) ──► TCP:465/587 ──► Relay host


    8. Hardcoded Credentials — 🔴 CRITICAL

    The following credentials are embedded in source code (primarily in sx_config_embedded.c for WASM builds):

    CredentialValueFileRisk
    Anthropic Antigravity API Keysk-6088a10dc3c1473cac567069b0e557f6sx_config_embedded.c:18API abuse
    Z.AI API Key9c6fba5db3f84613aaf8700b05990835.ue19jY48d9GmddqXsx_config_embedded.c:20API abuse
    Gemini API KeyAIzaSyDsvlLnCdMFXnlCLxurMaAO5RKI8IQHVA8sx_config_embedded.c:73API abuse
    SSH Passwordxboxonescorpiox-sshpass.c:41, sx_config_embedded.c:115Remote access
    TCP Host IP20.53.240.54sx_config_embedded.cInfrastructure exposure

    9. DNS Resolution Analysis

    9.1 DNS Calls

    FunctionFilePurpose
    getaddrinfo()sxmail_queue.c:324MX host resolution for outbound email delivery
    getaddrinfo()sxmail_queue.c:653SMTP relay host resolution
    getaddrinfo()scorpiox-server-http2tcp.c:337HTTP relay server binding
    getaddrinfo()sx_frp.c (via connect)FRP server resolution
    getaddrinfo()scorpiox-claudecode-fetchtoken.cTCP token host resolution
    res_query()sxmail_queue.cMX record DNS queries

    9.2 Domains Resolved at Runtime

    All domains in the endpoint inventory (Section 3) are resolved via standard system DNS. No custom DNS resolver is used. No DNS-over-HTTPS or DNS-over-TLS.

    DNS audit logging is configurable (DNS_AUDIT_LOG=0/1, DNS_AUDIT_LOG_DIR=/var/log/scorpiox-dns) but disabled by default.


    10. Data Exfiltration Pattern Analysis

    10.1 Base64 + Network Send

    Base64 encoding is used in the following network contexts:

    PatternFileRisk Assessment
    AUTH PLAIN (base64 credentials) → SMTP sendsxmail_smtp.c, sxmail_queue.cExpected — standard SMTP auth
    DKIM signature (base64) → SMTP headersxmail_dkim.cExpected — standard DKIM
    Image data (base64) → AI API POSTsx_api.h (image_result)Expected — vision/image tool
    Audio file → HTTP POST (multipart)scorpiox-voice.cExpected — voice transcription

    10.2 File Read + Network Send

    PatternFileRisk Assessment
    Credential files → TCP/HTTP/SSHscorpiox-*-fetchtoken.cExpected — token management
    Session text (up to 1MB) → HTTPS POSTscorpiox-emit-session.c⚠️ Potential concern — sends full conversation including tool outputs when enabled
    Email message body → SMTP relaysxmail_queue.cExpected — email relay
    Audio WAV → HTTP POSTscorpiox-voice.cExpected — transcription

    10.3 Assessment

    No unintentional data exfiltration patterns detected. All file-read-to-network patterns serve legitimate application purposes. However, the session tracking feature (EMIT_SESSION_TRACKING=1) would transmit complete conversation transcripts including tool outputs, file contents, and command results to code.scorpiox.net.


    11. Risk Assessment

    11.1 Risk Matrix

    RiskLikelihoodImpactSeverityDescription
    MITM on token fetchMediumCritical🔴 CRITICALSSL verification disabled on all token fetch/refresh operations. Attacker can intercept OAuth tokens.
    Hardcoded credential exposureHighHigh🔴 CRITICALAPI keys and SSH passwords in source code. Any binary distribution leaks these.
    Plaintext token transportMediumCritical🟠 HIGHRaw TCP token fetch (port 9800) sends OAuth tokens without encryption.
    Session data exfiltrationLowHigh🟡 MEDIUMWhen EMIT_SESSION_TRACKING=1, full conversations sent to scorpiox.net. Disabled by default.
    Broad attack surfaceMediumMedium🟡 MEDIUM20+ external endpoints; compromise of any proxy/relay endpoint (scorpiox.net) could intercept all AI traffic.
    Container registry insecureLowMedium🟡 MEDIUMTMUX_PODMAN_TLS_VERIFY=false allows MITM on container pulls.
    Email server exposureMediumMedium🟡 MEDIUMSMTP on port 25 with VERIFY_NONE TLS; IMAP TLS with VERIFY_NONE.
    FRP tunnel MITMLowMedium🟡 MEDIUMFRP TLS with VERIFY_NONE; attacker could intercept tunneled traffic.
    DNS resolution (no DNSSEC)LowLow🟢 LOWStandard system DNS; MX lookups could be poisoned.

    11.2 Recommendations

  • CRITICAL: Enable TLS certificate verification — Replace all CURLOPT_SSL_VERIFYPEER=0 and MBEDTLS_SSL_VERIFY_NONE with proper verification. Use system CA store or bundled CA certificates.
  • CRITICAL: Remove hardcoded credentials — Move all API keys, passwords, and tokens to environment variables or a secrets manager. Never embed in source code.
  • HIGH: Encrypt token transport — Add TLS to the raw TCP token fetch protocol (port 9800). Use the existing mbedTLS integration.
  • MEDIUM: Add certificate pinning — Pin certificates for critical endpoints (api.anthropic.com, api.openai.com, code.scorpiox.net).
  • MEDIUM: Audit session tracking — Document what data is collected when EMIT_SESSION_TRACKING=1. Consider excluding tool output content.
  • MEDIUM: Set minimum TLS versions — Explicitly set mbedtls_ssl_conf_min_tls_version(TLS1_2) on all mbedTLS connections, not just sxmail_tls.c.
  • LOW: Implement DNSSEC validation — For MX lookups and critical hostname resolution.

  • 12. Appendix: Source Files with Network Activity

    FileLinesNetwork Role
    libsxnet/sx_http.c274HTTP client (libcurl wrapper)
    libsxnet/sx_http_relay.c~250TCP relay client for HTTP
    libsxnet/sx_http_wasm.cWASM HTTP (Emscripten fetch)
    libsxnet/sx_provider_anthropic.cAnthropic API client
    libsxnet/sx_provider_claude_code.cClaude Code API client
    libsxnet/sx_provider_codex.cOpenAI Codex API client
    libsxnet/sx_provider_openai.cOpenAI-compatible provider
    libsxnet/sx_provider_gemini.cGemini API provider
    libsxnet/sx_provider_scorpiox.cScorpioX router provider
    libsxnet/sx_frp.c~1500FRP reverse proxy client
    libsxnet/sx_host.cHost integration (polling)
    libsxnet/sx_mcp.cMCP tool integration
    sxmail_smtp.cSMTP server
    sxmail_imap.cIMAP server
    sxmail_queue.cSMTP outbound queue + MX delivery
    sxmail_tls.cTLS wrapper (mbedTLS)
    sxmail_dkim.cDKIM signing
    scorpiox-server.c���HTTP server
    scorpiox-server-http2tcp.cHTTP-over-TCP relay server
    scorpiox-server-fetchtoken.cToken distribution server
    scorpiox-server-email.cEmail server orchestrator
    scorpiox-claudecode-fetchtoken.cClaude token fetcher
    scorpiox-claudecode-refreshtoken.cClaude token refresher
    scorpiox-codex-fetchtoken.cCodex token fetcher
    scorpiox-codex-refreshtoken.cCodex token refresher
    scorpiox-gemini-fetchtoken.cGemini token fetcher
    scorpiox-usage.cUsage telemetry sender
    scorpiox-emit-session.cSession telemetry sender
    scorpiox-websearch.cWeb search client
    scorpiox-voice.cVoice transcription client
    scorpiox-fetch.cGeneral URL fetcher
    scorpiox-traffic.cHTTP traffic capture
    scorpiox-unshare.cContainer networking
    scorpiox-wsl.cWSL container management
    scorpiox-vm.cVM management
    scorpiox-thunderbolt4.cRaw Ethernet (BPF) transfers
    scorpiox-sshpass.cSSH password helper
    bridge/ws2tcp.cWebSocket-to-TCP bridge
    sxmux_session.cUnix socket IPC

    End of Network Audit Report