The scorpiox codebase is a heavily networked application with extensive outbound HTTP/HTTPS communications to multiple AI provider APIs, internal infrastructure services, and external search engines. It also includes inbound server components (SMTP, IMAP, HTTP, WebSocket, TCP) and infrastructure networking (FRP reverse proxy, container networking via slirp4netns, Unix domain sockets for IPC).
| Category | Severity | Finding |
|---|---|---|
| TLS Certificate Validation | 🔴 CRITICAL | SSL/TLS certificate verification is disabled in 8 locations across the codebase |
| Hardcoded Credentials | 🔴 CRITICAL | API keys, SSH passwords, and proxy tokens are embedded in source code |
| Plaintext Token Transport | 🟠 HIGH | OAuth tokens fetched via raw TCP (no TLS) on port 9800 |
| Telemetry | 🟡 MEDIUM | Usage tracking and session telemetry endpoints exist (disabled by default in native, configurable) |
| Broad Network Surface | 🟡 MEDIUM | Binary can communicate with 20+ distinct external endpoints |
| No Certificate Pinning | 🟡 MEDIUM | No certificate pinning on any API connections |
The application makes outbound network connections for the following purposes:
The codebase includes several server components that listen for inbound connections:
| Component | Port(s) | Protocol | Purpose |
|---|---|---|---|
scorpiox-server | 8080 (configurable) | HTTP | Script execution server with JWT auth |
scorpiox-server-email | 25, 587, 993 | SMTP/IMAP | Full email server |
scorpiox-server-fetchtoken | 9800 | Raw TCP | Token distribution proxy |
scorpiox-server-http2tcp | 9801 | HTTP-over-TCP | HTTP relay server |
ws2tcp bridge | 6080 | WebSocket | WebSocket-to-TCP proxy (VNC) |
sxmux sessions | Unix socket | Unix domain | Terminal multiplexer IPC |
| Mechanism | Location | Purpose |
|---|---|---|
| Unix domain sockets | sxmux_session.c | Terminal multiplexer client-server |
| Named pipes (Windows) | sxmux_session.c | Windows equivalent of Unix sockets |
| Raw TCP socket | sx_http_relay.c | HTTP relay when curl unavailable |
| Slirp4netns API socket | scorpiox-unshare.c | Container port forwarding |
| Endpoint | Protocol | Source File | Purpose | Auth Method |
|---|---|---|---|---|
https://api.anthropic.com/v1/messages | HTTPS | sx_provider_anthropic.c, sx_provider_claude_code.c | Anthropic Messages API | API key / OAuth Bearer |
https://api.anthropic.com/v1/messages?beta=true | HTTPS | sx_provider_claude_code.c, sx_provider_claude_code_wasm.c | Claude Code API (beta) | OAuth Bearer |
https://api.anthropic.com/v1/models | HTTPS | scorpiox-claudecode-models.c | Model listing | OAuth Bearer |
https://api.z.ai/api/anthropic | HTTPS | sx_provider_anthropic.c | Z.AI proxy | API key |
https://api.z.ai/api/anthropic/v1/messages | HTTPS | sx_config_embedded.c | Z.AI proxy (embedded) | API key |
http://192.168.1.12:8045/v1/messages | HTTP ⚠️ | sx_config_embedded.c | Antigravity proxy (LAN) | API key |
https://api.openai.com/v1/chat/completions | HTTPS | sx_provider_openai_wasm.c | OpenAI API | API key |
https://chatgpt.com/backend-api/codex/responses | HTTPS | sx_provider_codex.c | OpenAI Codex API | OAuth |
https://generativelanguage.googleapis.com/v1beta | HTTPS | sx_provider_gemini_wasm.c | Google Gemini API | API key |
https://opus.scorpiox.net | HTTPS | sx_config_embedded.c | OpenAI-compatible proxy | API key |
https://qwen3-coder-next.scorpiox.net | HTTPS | scorpiox-openai.c | Qwen3 proxy | API key |
| Endpoint | Protocol | Source File | Purpose |
|---|---|---|---|
http://scorpiox.net:5176 | HTTP ⚠️ | sx_config_embedded.c | Router URL |
http://token.scorpiox.net/claude | HTTP ⚠️ | sx_config.c, sx_config_embedded.c | Claude Code token fetch |
http://token.scorpiox.net/codex | HTTP ⚠️ | sx_config.c, sx_config_embedded.c | Codex token fetch |
http://token.scorpiox.net/gemini | HTTP ⚠️ | sx_config.c, sx_config_embedded.c | Gemini token fetch |
https://code.scorpiox.net/usage-send | HTTPS | scorpiox-usage.c, sx_config_embedded.c | Usage telemetry |
https://code.scorpiox.net/sessions-send | HTTPS | scorpiox-emit-session.c, sx_config_embedded.c | Session telemetry |
https://dist.scorpiox.net/container-images/ | HTTPS | scorpiox-wsl.c, scorpiox-vm.c, scorpiox-unshare.c | Container image downloads |
https://dist.scorpiox.net/executables/ | HTTPS | scorpiox-wsl.c, sx_bridge.c | Executable updates |
https://dist.scorpiox.net/firmware/ | HTTPS | scorpiox-vm.c | VM BIOS/firmware |
https://dist.scorpiox.net/scorpiox/ | HTTPS | sx_config.c | Distribution packages |
https://dist.scorpiox.net/scorpiox/index.txt | HTTPS | sx_config.c | Package index |
https://whisper.scorpiox.net/ | HTTPS | scorpiox-voice.c | Voice transcription |
https://login.scorpiox.net/ | HTTPS | scorpiox-server.c | JWT issuer |
https://git.scorpiox.net | HTTPS | sx_config_embedded.c | Git server |
registry.scorpiox.net | HTTPS | sx_config_embedded.c | Container registry |
anthropic.scorpiox.net | HTTPS | sx_provider_claude_code.c | Anthropic API proxy |
relay.scorpiox.net:9801 | TCP | sx_config_embedded.c | HTTP relay server |
proxy.scorpiox.net:9800 | TCP | sx_config.c | Token proxy |
| Endpoint | Protocol | Source File | Purpose |
|---|---|---|---|
https://console.anthropic.com/v1/oauth/token | HTTPS | scorpiox-claudecode-refreshtoken.c | Claude OAuth token refresh |
https://auth.openai.com/oauth/token | HTTPS | scorpiox-codex-refreshtoken.c | Codex OAuth token refresh |
| Endpoint | Protocol | Source File | Purpose |
|---|---|---|---|
https://www.mojeek.com/search | HTTPS | scorpiox-websearch.c | Mojeek search |
https://search.brave.com/search | HTTPS | scorpiox-websearch.c | Brave search |
https://html.duckduckgo.com/html/ | HTTPS | sx_agent_tools_wasm.c | DuckDuckGo search |
https://www.google.com/search | HTTPS | Config templates | Google search |
https://www.bing.com/search | HTTPS | Config templates | Bing search |
https://search.yahoo.com/search | HTTPS | Config templates | Yahoo search |
https://yandex.com/search/ | HTTPS | Config templates | Yandex search |
https://www.startpage.com/sp/search | HTTPS | Config templates | Startpage search |
https://www.ecosia.org/search | HTTPS | Config templates | Ecosia search |
https://www.qwant.com/ | HTTPS | Config templates | Qwant search |
https://searx.be/search | HTTPS | Config templates | SearX search |
| IP Address | Port | Source File | Purpose |
|---|---|---|---|
192.168.1.12 | 8045 | sx_config_embedded.c | Antigravity proxy (LAN) |
192.168.1.3 | — | sx_config_embedded.c | TMux remote host / SMB share |
192.168.1.6 | 22223 | sx_config_embedded.c | Claude Code SSH host |
20.53.240.54 | 9800 | sx_config_embedded.c | TCP token proxy (Azure IP) |
127.0.0.1 | Various | Multiple | Loopback/local relay |
10.0.2.3 | — | scorpiox-unshare.c | Slirp4netns DNS |
sx_http.c wraps libcurl for all HTTP requests via sx_http_request().
sx_get_ca_bundle_path()HTTP_RELAY=1, all HTTP requests are serialized over a custom SXH1 binary protocol via plain TCP to relay.scorpiox.net:9801, eliminating curl/TLS dependencies on the client side. The relay server performs the actual HTTPS request.
scorpiox-claudecode-fetchtoken.c, scorpiox-codex-fetchtoken.c, scorpiox-gemini-fetchtoken.c):
TCP_HOST:TCP_PORT (default: proxy.scorpiox.net:9800 / 20.53.240.54:9800)access_token and expires_at fieldssx_http_relay.c):
SXH1/SXR1 over plain TCP127.0.0.1:9801 or configurablesxmail_smtp.c):
sxmail_imap.c):
sxmail_queue.c):
getaddrinfo() + res_query() (DNS)sx_frp.c)ws2tcp.c)sxmux_session.c)AF_UNIX / SOCK_STREAM/tmp/ or runtime dirscorpiox-unshare.c)CLONE_NEWNET for network namespace isolationAF_UNIX)10.0.2.3 or host resolv.conf copyport+:target syntaxscorpiox-usage.c)USAGE_TRACKING=0 in both sx_config.c and sx_config_embedded.c)https://code.scorpiox.net/usage-send- Provider name (claude, gemini, openai)
- Model name
- Token counts (input, output, cache_read, cache_write)
- Service tier
- Project name (basename of cwd)
- Git branch (auto-detected)
- Machine metadata: hostname, username, OS, arch, OS version, scorpiox version
scorpiox-emit-session.c)EMIT_SESSION_TRACKING=0)https://code.scorpiox.net/sessions-send- Message type (user, assistant, tool_call, tool_result, error, thinking, system_prompt)
- Full message text (up to 1MB from file)
- Provider and model name
- Project name, git branch
- Machine metadata: hostname, username, OS, arch
sx_cache_keepalive.c)CACHE_KEEPALIVE=0), enabled in WASM config.scorpiox/traffics/ directoriesCertificate verification is explicitly disabled in 8 locations:
| File | Line | Code | Context |
|---|---|---|---|
sxmail_tls.c | 185 | MBEDTLS_SSL_VERIFY_NONE | Email server TLS (inbound SMTP/IMAP) |
sxmail_queue.c | 532 | MBEDTLS_SSL_VERIFY_NONE | Outbound SMTP relay TLS client |
sx_frp.c | 1105 | MBEDTLS_SSL_VERIFY_NONE | FRP reverse proxy TLS |
scorpiox-gemini-fetchtoken.c | 125-126 | CURLOPT_SSL_VERIFYPEER=0, CURLOPT_SSL_VERIFYHOST=0 | Gemini token fetcher |
scorpiox-email.c | 342-343 | CURLOPT_SSL_VERIFYPEER=0, CURLOPT_SSL_VERIFYHOST=0 | Email sending via curl |
scorpiox-codex-refreshtoken.c | 464-465 | CURLOPT_SSL_VERIFYPEER=0, CURLOPT_SSL_VERIFYHOST=0 | Codex OAuth token refresh |
scorpiox-codex-fetchtoken.c | 437-438 | CURLOPT_SSL_VERIFYPEER=0, CURLOPT_SSL_VERIFYHOST=0 | Codex token fetcher |
scorpiox-claudecode-refreshtoken.c | 341-342 | CURLOPT_SSL_VERIFYPEER=0, CURLOPT_SSL_VERIFYHOST=0 | Claude OAuth token refresh |
scorpiox-claudecode-fetchtoken.c | 341-342 | CURLOPT_SSL_VERIFYPEER=0, CURLOPT_SSL_VERIFYHOST=0 | Claude token fetcher |
scorpiox-traffic.c | 979 | setenv("CURLOPT_SSL_VERIFYPEER", "0", 1) | Traffic capture proxy |
sxmail_tls.c: Enforces minimum TLS 1.2 (MBEDTLS_SSL_VERSION_TLS1_2) — ✅ Goodsxmail_queue.c: Uses MBEDTLS_SSL_PRESET_DEFAULT — No explicit minimum setsx_frp.c: Uses MBEDTLS_SSL_PRESET_DEFAULT — No explicit minimum setsx_get_ca_bundle_path())TMUX_PODMAN_TLS_VERIFY=false in embedded config — disables registry TLS verificationUser Input
│
▼
sx.c (main loop)
│
├──► sx_provider_*.c (build JSON request)
│ │
│ ▼
│ sx_http.c / sx_http_relay.c
│ │
│ ├──[HTTP_RELAY=0]──► libcurl ──► HTTPS ──► api.anthropic.com
│ │ api.openai.com
│ │ generativelanguage.googleapis.com
│ │
│ └──[HTTP_RELAY=1]──► TCP:9801 ──► relay.scorpiox.net ──► target API
│
├──► scorpiox-usage (fire-and-forget)
│ │
│ └──► HTTPS POST ──► code.scorpiox.net/usage-send
│
└──► scorpiox-emit-session (fire-and-forget, if enabled)
│
└──► HTTPS POST ──► code.scorpiox.net/sessions-send
Provider init (needs OAuth token)
│
├──[TOKEN_MODE_LOCAL]──► Read ~/.claude/.credentials.json
│
├──[TOKEN_MODE_REMOTE]──► HTTP GET ──► token.scorpiox.net/claude
│ token.scorpiox.net/codex
│ token.scorpiox.net/gemini
│
├──[TOKEN_MODE_SSH]──► SSH ──► remote_host ──► cat ~/.claude/.credentials.json
│ (uses scorpiox-sshpass with hardcoded password "xboxone")
│
└──[TOKEN_MODE_TCP]──► Raw TCP ──► proxy.scorpiox.net:9800
(20.53.240.54:9800)
⚠️ PLAINTEXT — tokens in cleartext
Inbound:
Remote MTA ──► TCP:25 ──► sxmail_smtp.c (EHLO/AUTH/STARTTLS)
│
Remote MUA ──► TCP:587 ──► sxmail_smtp.c (submission, AUTH required)
│
▼
sxmail_queue.c (local store)
│
Remote MUA ──► TCP:993 ──► sxmail_imap.c (TLS, FETCH/SELECT/SEARCH)
Outbound:
sxmail_queue.c ──► MX lookup (getaddrinfo) ──► TCP:25 ──► Remote MX
└──► Smarthost relay (TLS) ──► TCP:465/587 ──► Relay host
The following credentials are embedded in source code (primarily in sx_config_embedded.c for WASM builds):
| Credential | Value | File | Risk |
|---|---|---|---|
| Anthropic Antigravity API Key | sk-6088a10dc3c1473cac567069b0e557f6 | sx_config_embedded.c:18 | API abuse |
| Z.AI API Key | 9c6fba5db3f84613aaf8700b05990835.ue19jY48d9GmddqX | sx_config_embedded.c:20 | API abuse |
| Gemini API Key | AIzaSyDsvlLnCdMFXnlCLxurMaAO5RKI8IQHVA8 | sx_config_embedded.c:73 | API abuse |
| SSH Password | xboxone | scorpiox-sshpass.c:41, sx_config_embedded.c:115 | Remote access |
| TCP Host IP | 20.53.240.54 | sx_config_embedded.c | Infrastructure exposure |
| Function | File | Purpose |
|---|---|---|
getaddrinfo() | sxmail_queue.c:324 | MX host resolution for outbound email delivery |
getaddrinfo() | sxmail_queue.c:653 | SMTP relay host resolution |
getaddrinfo() | scorpiox-server-http2tcp.c:337 | HTTP relay server binding |
getaddrinfo() | sx_frp.c (via connect) | FRP server resolution |
getaddrinfo() | scorpiox-claudecode-fetchtoken.c | TCP token host resolution |
res_query() | sxmail_queue.c | MX record DNS queries |
All domains in the endpoint inventory (Section 3) are resolved via standard system DNS. No custom DNS resolver is used. No DNS-over-HTTPS or DNS-over-TLS.
DNS audit logging is configurable (DNS_AUDIT_LOG=0/1, DNS_AUDIT_LOG_DIR=/var/log/scorpiox-dns) but disabled by default.
Base64 encoding is used in the following network contexts:
| Pattern | File | Risk Assessment |
|---|---|---|
| AUTH PLAIN (base64 credentials) → SMTP send | sxmail_smtp.c, sxmail_queue.c | Expected — standard SMTP auth |
| DKIM signature (base64) → SMTP header | sxmail_dkim.c | Expected — standard DKIM |
| Image data (base64) → AI API POST | sx_api.h (image_result) | Expected — vision/image tool |
| Audio file → HTTP POST (multipart) | scorpiox-voice.c | Expected — voice transcription |
| Pattern | File | Risk Assessment |
|---|---|---|
| Credential files → TCP/HTTP/SSH | scorpiox-*-fetchtoken.c | Expected — token management |
| Session text (up to 1MB) → HTTPS POST | scorpiox-emit-session.c | ⚠️ Potential concern — sends full conversation including tool outputs when enabled |
| Email message body → SMTP relay | sxmail_queue.c | Expected — email relay |
| Audio WAV → HTTP POST | scorpiox-voice.c | Expected — transcription |
No unintentional data exfiltration patterns detected. All file-read-to-network patterns serve legitimate application purposes. However, the session tracking feature (EMIT_SESSION_TRACKING=1) would transmit complete conversation transcripts including tool outputs, file contents, and command results to code.scorpiox.net.
| Risk | Likelihood | Impact | Severity | Description |
|---|---|---|---|---|
| MITM on token fetch | Medium | Critical | 🔴 CRITICAL | SSL verification disabled on all token fetch/refresh operations. Attacker can intercept OAuth tokens. |
| Hardcoded credential exposure | High | High | 🔴 CRITICAL | API keys and SSH passwords in source code. Any binary distribution leaks these. |
| Plaintext token transport | Medium | Critical | 🟠 HIGH | Raw TCP token fetch (port 9800) sends OAuth tokens without encryption. |
| Session data exfiltration | Low | High | 🟡 MEDIUM | When EMIT_SESSION_TRACKING=1, full conversations sent to scorpiox.net. Disabled by default. |
| Broad attack surface | Medium | Medium | 🟡 MEDIUM | 20+ external endpoints; compromise of any proxy/relay endpoint (scorpiox.net) could intercept all AI traffic. |
| Container registry insecure | Low | Medium | 🟡 MEDIUM | TMUX_PODMAN_TLS_VERIFY=false allows MITM on container pulls. |
| Email server exposure | Medium | Medium | 🟡 MEDIUM | SMTP on port 25 with VERIFY_NONE TLS; IMAP TLS with VERIFY_NONE. |
| FRP tunnel MITM | Low | Medium | 🟡 MEDIUM | FRP TLS with VERIFY_NONE; attacker could intercept tunneled traffic. |
| DNS resolution (no DNSSEC) | Low | Low | 🟢 LOW | Standard system DNS; MX lookups could be poisoned. |
CURLOPT_SSL_VERIFYPEER=0 and MBEDTLS_SSL_VERIFY_NONE with proper verification. Use system CA store or bundled CA certificates.EMIT_SESSION_TRACKING=1. Consider excluding tool output content.mbedtls_ssl_conf_min_tls_version(TLS1_2) on all mbedTLS connections, not just sxmail_tls.c.| File | Lines | Network Role |
|---|---|---|
libsxnet/sx_http.c | 274 | HTTP client (libcurl wrapper) |
libsxnet/sx_http_relay.c | ~250 | TCP relay client for HTTP |
libsxnet/sx_http_wasm.c | — | WASM HTTP (Emscripten fetch) |
libsxnet/sx_provider_anthropic.c | — | Anthropic API client |
libsxnet/sx_provider_claude_code.c | — | Claude Code API client |
libsxnet/sx_provider_codex.c | — | OpenAI Codex API client |
libsxnet/sx_provider_openai.c | — | OpenAI-compatible provider |
libsxnet/sx_provider_gemini.c | — | Gemini API provider |
libsxnet/sx_provider_scorpiox.c | — | ScorpioX router provider |
libsxnet/sx_frp.c | ~1500 | FRP reverse proxy client |
libsxnet/sx_host.c | — | Host integration (polling) |
libsxnet/sx_mcp.c | — | MCP tool integration |
sxmail_smtp.c | — | SMTP server |
sxmail_imap.c | — | IMAP server |
sxmail_queue.c | — | SMTP outbound queue + MX delivery |
sxmail_tls.c | — | TLS wrapper (mbedTLS) |
sxmail_dkim.c | — | DKIM signing |
scorpiox-server.c | ��� | HTTP server |
scorpiox-server-http2tcp.c | — | HTTP-over-TCP relay server |
scorpiox-server-fetchtoken.c | — | Token distribution server |
scorpiox-server-email.c | — | Email server orchestrator |
scorpiox-claudecode-fetchtoken.c | — | Claude token fetcher |
scorpiox-claudecode-refreshtoken.c | — | Claude token refresher |
scorpiox-codex-fetchtoken.c | — | Codex token fetcher |
scorpiox-codex-refreshtoken.c | — | Codex token refresher |
scorpiox-gemini-fetchtoken.c | — | Gemini token fetcher |
scorpiox-usage.c | — | Usage telemetry sender |
scorpiox-emit-session.c | — | Session telemetry sender |
scorpiox-websearch.c | — | Web search client |
scorpiox-voice.c | — | Voice transcription client |
scorpiox-fetch.c | — | General URL fetcher |
scorpiox-traffic.c | — | HTTP traffic capture |
scorpiox-unshare.c | — | Container networking |
scorpiox-wsl.c | — | WSL container management |
scorpiox-vm.c | — | VM management |
scorpiox-thunderbolt4.c | — | Raw Ethernet (BPF) transfers |
scorpiox-sshpass.c | — | SSH password helper |
bridge/ws2tcp.c | — | WebSocket-to-TCP bridge |
sxmux_session.c | — | Unix socket IPC |