📄 02-network.md
⬇ Download Raw

Network Communications Audit Report

Codebase: scorpiox/clang Audit Date: 2026-04-28 Auditor: Security Audit Agent Scope: All network-related function calls, endpoints, protocols, and telemetry

1. Network Activity Summary

The scorpiox codebase is a highly network-active application suite. It contains:

Key Libraries Used

LibraryPurposeFiles
libcurlHTTP/HTTPS client (native builds)sx_http.c, all provider_*.c, email, fetchtoken, etc.
mbedTLSTLS for SMTP/FRP/mail (non-curl paths)sx_frp.c, sxmail_tls.c, sxmail_queue.c
POSIX socketsRaw TCP (fetchtoken, beam, server, DNS)sx_tcp_fetch.c, scorpiox-beam.c, scorpiox-server.c, scorpiox-dns.c
BPF (macOS)Raw Ethernet over Thunderbolt 4libtb4/tb4_transport.c

2. Endpoint Inventory

2.1 AI Provider API Endpoints

EndpointProtocolPortPurposeInitiated ByFile(s)
https://api.anthropic.com/v1/messagesHTTPS443Anthropic Claude API (direct)User action (chat)sx_provider_anthropic.c, sx_provider_claude_code.c
https://api.anthropic.com/v1/messages?beta=trueHTTPS443Anthropic Claude API (beta features)User action (chat)sx_provider_claude_code.c
https://api.anthropic.com/v1/modelsHTTPS443List available modelsUser action (models cmd)scorpiox-claudecode-models.c
https://chatgpt.com/backend-api/codex/responsesHTTPS443OpenAI Codex APIUser action (chat)sx_provider_codex.c
https://api.openai.com/v1/chat/completionsHTTPS443OpenAI Chat CompletionsUser action (chat)scorpiox-openai.c
https://generativelanguage.googleapis.com/v1betaHTTPS443Google Gemini APIUser action (chat)scorpiox-gemini.c
https://api.z.ai/api/anthropic/v1/messagesHTTPS443Z.AI proxy for AnthropicUser action (chat)sx_provider_anthropic.c, config
http://192.168.1.12:8045/v1/messagesHTTP8045Antigravity proxy (LAN)User action (chat)config_embedded.c
http://192.168.1.204:8045/v1/messagesHTTP8045Antigravity proxy (LAN, alt)User action (chat)config
https://opus.scorpiox.netHTTPS443ScorpioX OpenAI-compat endpointUser action (chat)config_embedded.c
https://qwen3-coder-next.scorpiox.netHTTPS443Qwen3 coder endpointUser action (chat)scorpiox-openai.c (example)
http://scorpiox.net:5176HTTP5176ScorpioX router (WASM default)User action (chat)config_embedded.c
https://scorpiox.net/apiHTTPS443ScorpioX APIUser actionconfig

2.2 OAuth / Token Endpoints

EndpointProtocolPortPurposeInitiated ByFile(s)
https://console.anthropic.com/v1/oauth/tokenHTTPS443Claude Code OAuth token refreshAutomatic (token expiry)scorpiox-claudecode-refreshtoken.c
https://auth.openai.com/oauth/tokenHTTPS443Codex OAuth token refreshAutomatic (token expiry)scorpiox-codex-refreshtoken.c
http://token.scorpiox.net/claudeHTTP80Remote Claude token fetchAuto/configscorpiox-claudecode-fetchtoken.c
http://token.scorpiox.net/codexHTTP80Remote Codex token fetchAuto/configscorpiox-codex-fetchtoken.c
http://token.scorpiox.net/geminiHTTP80Remote Gemini token fetchAuto/configscorpiox-gemini-fetchtoken.c
https://login.scorpiox.net/HTTPS443JWT issuer validationServer authscorpiox-server.c

2.3 Telemetry / Reporting Endpoints

EndpointProtocolPortPurposeInitiated ByFile(s)
https://code.scorpiox.net/usage-sendHTTPS443Token usage reportingAutomatic (after API call)scorpiox-usage.c
https://code.scorpiox.net/sessions-sendHTTPS443Session event telemetryAutomatic (per message)scorpiox-emit-session.c, sx.c

2.4 Distribution / Update Endpoints

EndpointProtocolPortPurposeInitiated ByFile(s)
https://dist.scorpiox.net/container-images/HTTPS443Container image downloadsUser action (run VM/WSL)scorpiox-vm.c, scorpiox-wsl.c, scorpiox-unshare.c
https://dist.scorpiox.net/executables/HTTPS443Binary updates (WSL)Automatic (update check)scorpiox-wsl.c
https://dist.scorpiox.net/executables/scorpiox-wsl.exeHTTPS443WSL binary updateAutomaticconfig_embedded.c
https://dist.scorpiox.net/executables/scorpiox-whatsapp-bridge-*HTTPS443WhatsApp bridge downloadUser actionscorpiox-whatsapp.c
https://dist.scorpiox.net/firmware/HTTPS443SeaBIOS firmware downloadUser action (VM)scorpiox-vm.c
https://dist.scorpiox.net/scorpiox/index.txtHTTPS443Branch/version auto-detectionAutomatic (build/deploy)sx_config.c
https://dist.scorpiox.net/scorpiox/sx/scorpiox_code.tar.gzHTTPS443Scorpiox code tarballUser action (tmux deploy)scorpiox-tmux.c

2.5 Web Search Endpoints

EndpointProtocolPortPurposeInitiated ByFile(s)
https://www.mojeek.com/search?q=…HTTPS443Mojeek web searchUser action (WebSearch tool)scorpiox-websearch.c
https://search.brave.com/search?q=…HTTPS443Brave web searchUser action (WebSearch tool)scorpiox-websearch.c
https://html.duckduckgo.com/html/?q=…HTTPS443DuckDuckGo web searchUser action (WebSearch tool)scorpiox-websearch.c
https://www.google.com/search?q=…HTTPS443Google web searchTemplate (config)config
https://www.bing.com/search?q=…HTTPS443Bing web searchTemplate (config)config
https://yandex.com/search/?text=…HTTPS443Yandex web searchTemplate (config)config
https://www.ecosia.org/search?q=…HTTPS443Ecosia web searchTemplate (config)config
https://www.startpage.com/sp/search?query=…HTTPS443Startpage web searchTemplate (config)config
https://www.qwant.com/?q=…HTTPS443Qwant web searchTemplate (config)config
https://search.yahoo.com/search?p=…HTTPS443Yahoo web searchTemplate (config)config
https://searx.be/search?q=…HTTPS443SearX web searchTemplate (config)config

2.6 Voice / Whisper Endpoint

EndpointProtocolPortPurposeInitiated ByFile(s)
https://whisper.scorpiox.net/HTTPS443Speech-to-text (Whisper API)User action (voice cmd)scorpiox-voice.c

2.7 Server / Listening Services

ServiceProtocolDefault PortPurposeFile(s)
HTTP ServerTCP/HTTP8080CGI-style script serverscorpiox-server.c
Host API ServerTCP/HTTP7432Agent host control APIscorpiox-host.c
Fetchtoken ServerTCP9800Token bridge (TCP→HTTP)scorpiox-server-fetchtoken.c
HTTP-to-TCP RelayTCP9801HTTP relay for TLS-free clientsscorpiox-server-http2tcp.c
DNS ServerUDP+TCP53Local DNS (*.scorpiox.net zone)scorpiox-dns.c
SMTP ServerTCP25, 587Mail Transfer Agentscorpiox-server-email.c
IMAP ServerTCP993Mail retrievalscorpiox-server-email.c
WebSocket BridgeTCP/WS6080WebSocket-to-TCP (noVNC)bridge/ws2tcp.c
Beam TransferTCP9876File transfer servicescorpiox-beam.c
SDK Host ServerTCP/HTTP7432SDK agent orchestrationscorpiox-sdk.c
CDP ConnectionTCP9222Chrome DevTools Protocolscorpiox-fetch.c

2.8 Internal / Infrastructure

Endpoint / ServiceProtocolPortPurposeFile(s)
TCP_HOST (default: 20.53.240.54 or proxy.scorpiox.net)TCP9800Token fetch via raw TCPsx_tcp_fetch.c
anthropic.scorpiox.netHTTPS443Claude Code API proxysx_provider_claude_code.c
relay.scorpiox.netTCP9801HTTP relay hostconfig_embedded.c
FRP server (configurable)TCP+TLS7000Reverse proxy tunnelingsx_frp.c
localhost:3001TCP3001PowerShell remotingconfig (PWSH_HOST)
http://localhost:8087/claudeHTTP8087Local fetchtoken upstreamscorpiox-server-fetchtoken.c
http://localhost:9100HTTP9100Local service (config example)config
SSH targets (configurable)TCP22/22223Remote token fetch via SSHscorpiox-claudecode-fetchtoken.c

2.9 Hardcoded IP Addresses

IP AddressContextFile(s)
20.53.240.54Default TCP_HOST for fetchtoken (Azure IP)config_embedded.c
192.168.1.12Antigravity LAN proxyconfig_embedded.c
192.168.1.204Antigravity LAN proxy (alt)config
192.168.1.6Default CLAUDE_CODE_SSH_HOSTconfig_embedded.c
192.168.1.3Default TMUX_REMOTE_HOSTconfig_embedded.c
127.0.0.1Localhost (relay, SDK, various)Multiple files
0.0.0.0DNS bind addressscorpiox-dns.c
8.8.8.8, 1.1.1.1Default DNS upstreamscorpiox-dns.c

3. Protocol Analysis

3.1 HTTP/HTTPS (via libcurl)

3.2 Raw TCP (POSIX sockets)

3.3 FRP Tunneling

3.4 WebSocket

3.5 Raw Ethernet (Thunderbolt 4)

3.6 SMTP/IMAP


4. Telemetry Assessment

Rating: MODERATE — opt-in telemetry with fire-and-forget pattern

4.1 Session Event Telemetry (EMIT_SESSION_TRACKING)

4.2 Token Usage Telemetry (USAGE_TRACKING)

4.3 Cache Keepalive (NOT telemetry)

4.4 Traffic Logging (Local)


5. TLS/SSL Security Assessment

5.1 Certificate Validation Disabled (⚠ HIGH RISK)

Multiple files disable SSL peer and host verification:

FileCodeRisk
scorpiox-claudecode-fetchtoken.c:341-342CURLOPT_SSL_VERIFYPEER=0, CURLOPT_SSL_VERIFYHOST=0HIGH — OAuth token fetch with no cert validation
scorpiox-claudecode-refreshtoken.c:341-342CURLOPT_SSL_VERIFYPEER=0, CURLOPT_SSL_VERIFYHOST=0HIGH — OAuth refresh with no cert validation
scorpiox-codex-fetchtoken.c:437-438CURLOPT_SSL_VERIFYPEER=0, CURLOPT_SSL_VERIFYHOST=0HIGH — Codex token fetch
scorpiox-codex-refreshtoken.c:464-465CURLOPT_SSL_VERIFYPEER=0, CURLOPT_SSL_VERIFYHOST=0HIGH — Codex token refresh
scorpiox-gemini-fetchtoken.c:125-126CURLOPT_SSL_VERIFYPEER=0, CURLOPT_SSL_VERIFYHOST=0HIGH — Gemini token fetch
scorpiox-email.c:342-343CURLOPT_SSL_VERIFYPEER=0, CURLOPT_SSL_VERIFYHOST=0MEDIUM — Email SMTP client
scorpiox-traffic.c:980setenv("CURLOPT_SSL_VERIFYPEER", "0", 1)MEDIUM — Traffic capture proxy
sxmail_tls.c:185MBEDTLS_SSL_VERIFY_NONEMEDIUM — Mail TLS
sxmail_queue.c:532MBEDTLS_SSL_VERIFY_NONEMEDIUM — Outbound SMTP relay TLS
sx_frp.c:1105MBEDTLS_SSL_VERIFY_NONEMEDIUM — FRP tunnel TLS
Pattern observed: Most files attempt CA bundle loading first (CURLOPT_CAINFO), then fall back to disabling verification. This suggests a development/portability workaround that was never properly resolved.

5.2 Proper TLS Usage

5.3 Token Transport Over HTTP (⚠ RISK)

Several token fetch endpoints use plain HTTP (not HTTPS):


6. Data Flow Diagrams

6.1 AI Chat Flow

User Input → sx.c → sx_agent.c → sx_provider_*.c

┌──────────────────────┼──────────────────────┐

▼ ▼ ▼

api.anthropic.com chatgpt.com/backend-api googleapis.com

(Claude API) (Codex API) (Gemini API)

│ │ │

▼ ▼ ▼

AI Response → sx_agent.c → sx.c → Display

├── emit_session_msg() ──→ code.scorpiox.net/sessions-send

└── scorpiox-usage ──────→ code.scorpiox.net/usage-send

6.2 Token Acquisition Flow

sx_provider_claude_code.c → load_oauth_token_ex()

├── LOCAL: Read ~/.claude/.credentials.json (no network)

├── SSH: SSH to CLAUDE_CODE_SSH_HOST → read credentials

├── REMOTE: HTTP GET http://token.scorpiox.net/claude

└── TCP: Raw TCP to TCP_HOST:TCP_PORT (SXV1 protocol)

scorpiox-server-fetchtoken (TCP:9800)

HTTP upstream (localhost:8087/claude)

6.3 Update/Distribution Flow

scorpiox-wsl.c → check_for_update()

dist.scorpiox.net/executables/scorpiox-wsl.exe

Compare binary size → Replace if different

scorpiox-vm.c → download VM images / BIOS firmware

dist.scorpiox.net/container-images/

dist.scorpiox.net/firmware/bios-256k.bin

6.4 FRP Tunnel Flow

Local Service (port N) ←── sx_frp.c ──→ frps server (port 7000)

TCP + yamux │

AES-128-CFB ▼

(optional TLS) Remote clients


7. Embedded Credentials / API Keys

⚠ CRITICAL FINDING: The WASM embedded configuration contains hardcoded API keys:
KeyValueFile
ANTHROPIC_ANTIGRAVITY_KEYsk-6088a10dc3c1473cac567069b0e557f6config_embedded.c
ANTHROPIC_ZAI_KEY9c6fba5db3f84613aaf8700b05990835.ue19jY48d9GmddqXconfig_embedded.c

These are compiled into the WASM binary and could be extracted by anyone with access to it.


8. DNS Resolution Analysis

8.1 Domains Resolved at Runtime

All domains below are resolved via getaddrinfo() or libcurl's internal resolver:

8.2 DNS Server (scorpiox-dns.c)


9. Risk Assessment

Critical Risks

#RiskSeverityDescription
1Hardcoded API keys in WASM config🔴 CRITICALANTHROPIC_ANTIGRAVITY_KEY and ANTHROPIC_ZAI_KEY embedded in source. Can be extracted from compiled WASM.
2SSL verification disabled across token fetchers🔴 CRITICAL6+ files disable SSL_VERIFYPEER and SSL_VERIFYHOST. OAuth tokens (bearing full API access) are fetched without certificate validation, enabling MITM attacks.
3OAuth tokens transported over plain HTTP🔴 CRITICALtoken.scorpiox.net endpoints use http:// (not https://). Tokens can be intercepted on the network.
4Raw TCP token transport (no encryption)🟠 HIGHsx_tcp_fetch.c sends token requests over unencrypted TCP to 20.53.240.54:9800. API keys (SXV1 AUTH=key) sent in plaintext.

High Risks

#RiskSeverityDescription
5Hardcoded LAN IP addresses🟠 HIGHPrivate IPs (192.168.1.x) hardcoded in embedded config. Could expose internal network topology.
6Full message telemetry🟠 HIGHWhen EMIT_SESSION_TRACKING=1, complete user prompts and AI responses are POSTed to code.scorpiox.net. Temp files written to /tmp/.
7FRP tunnel with VERIFY_NONE🟠 HIGHFRP client TLS uses MBEDTLS_SSL_VERIFY_NONE. Tunnel endpoint identity not verified.
8Auto-update with no code signing🟠 HIGHscorpiox-wsl.c downloads and replaces its own binary from dist.scorpiox.net without signature verification. Only file size comparison.

Medium Risks

#RiskSeverityDescription
9SMTP with disabled cert verification🟡 MEDIUMEmail client and outbound queue disable TLS verification.
10DNS server on port 53🟡 MEDIUMBuilt-in DNS server could be used for DNS spoofing if misconfigured.
11Multiple listening services🟡 MEDIUM10+ server components bind to various ports. Attack surface is broad.
12fire-and-forget telemetry via system()🟡 MEDIUMsx.c uses system() to spawn telemetry process. Command injection risk if session IDs are not sanitized.

Low Risks

#RiskSeverityDescription
13Web search scraping🟢 LOWMultiple search engines contacted; user-agent spoofing as Chrome.
14Voice audio upload🟢 LOWAudio files uploaded to whisper.scorpiox.net for transcription. User-initiated.
15Thunderbolt raw ethernet🟢 LOWCustom EtherType 0x88B5 protocol. Requires root/BPF. macOS only.

10. Recommendations

  • IMMEDIATE: Remove hardcoded API keys from sx_config_embedded.c. Use environment variables or secure key management.
  • IMMEDIATE: Enable SSL certificate verification on all token fetch/refresh paths. Remove all SSL_VERIFYPEER=0 fallbacks.
  • HIGH: Migrate all token.scorpiox.net endpoints from http:// to https://.
  • HIGH: Add TLS to the TCP fetchtoken protocol (sx_tcp_fetch.c), or migrate to HTTPS.
  • HIGH: Implement binary signature verification for auto-updates (e.g., Ed25519 signatures).
  • MEDIUM: Add input sanitization for session IDs passed to system() calls in telemetry.
  • MEDIUM: Enable FRP TLS with proper certificate validation.
  • MEDIUM: Document all network endpoints and their purpose for operators.
  • LOW: Consider making telemetry endpoints configurable (already partially done via *_API_URL configs).
  • LOW: Add network activity audit logging as a built-in feature.

  • Report generated by Security Audit Agent — 2026-04-28