The scorpiox codebase is a highly network-active application suite. It contains:
| Library | Purpose | Files |
|---|---|---|
| libcurl | HTTP/HTTPS client (native builds) | sx_http.c, all provider_*.c, email, fetchtoken, etc. |
| mbedTLS | TLS for SMTP/FRP/mail (non-curl paths) | sx_frp.c, sxmail_tls.c, sxmail_queue.c |
| POSIX sockets | Raw TCP (fetchtoken, beam, server, DNS) | sx_tcp_fetch.c, scorpiox-beam.c, scorpiox-server.c, scorpiox-dns.c |
| BPF (macOS) | Raw Ethernet over Thunderbolt 4 | libtb4/tb4_transport.c |
| Endpoint | Protocol | Port | Purpose | Initiated By | File(s) |
|---|---|---|---|---|---|
https://api.anthropic.com/v1/messages | HTTPS | 443 | Anthropic Claude API (direct) | User action (chat) | sx_provider_anthropic.c, sx_provider_claude_code.c |
https://api.anthropic.com/v1/messages?beta=true | HTTPS | 443 | Anthropic Claude API (beta features) | User action (chat) | sx_provider_claude_code.c |
https://api.anthropic.com/v1/models | HTTPS | 443 | List available models | User action (models cmd) | scorpiox-claudecode-models.c |
https://chatgpt.com/backend-api/codex/responses | HTTPS | 443 | OpenAI Codex API | User action (chat) | sx_provider_codex.c |
https://api.openai.com/v1/chat/completions | HTTPS | 443 | OpenAI Chat Completions | User action (chat) | scorpiox-openai.c |
https://generativelanguage.googleapis.com/v1beta | HTTPS | 443 | Google Gemini API | User action (chat) | scorpiox-gemini.c |
https://api.z.ai/api/anthropic/v1/messages | HTTPS | 443 | Z.AI proxy for Anthropic | User action (chat) | sx_provider_anthropic.c, config |
http://192.168.1.12:8045/v1/messages | HTTP | 8045 | Antigravity proxy (LAN) | User action (chat) | config_embedded.c |
http://192.168.1.204:8045/v1/messages | HTTP | 8045 | Antigravity proxy (LAN, alt) | User action (chat) | config |
https://opus.scorpiox.net | HTTPS | 443 | ScorpioX OpenAI-compat endpoint | User action (chat) | config_embedded.c |
https://qwen3-coder-next.scorpiox.net | HTTPS | 443 | Qwen3 coder endpoint | User action (chat) | scorpiox-openai.c (example) |
http://scorpiox.net:5176 | HTTP | 5176 | ScorpioX router (WASM default) | User action (chat) | config_embedded.c |
https://scorpiox.net/api | HTTPS | 443 | ScorpioX API | User action | config |
| Endpoint | Protocol | Port | Purpose | Initiated By | File(s) |
|---|---|---|---|---|---|
https://console.anthropic.com/v1/oauth/token | HTTPS | 443 | Claude Code OAuth token refresh | Automatic (token expiry) | scorpiox-claudecode-refreshtoken.c |
https://auth.openai.com/oauth/token | HTTPS | 443 | Codex OAuth token refresh | Automatic (token expiry) | scorpiox-codex-refreshtoken.c |
http://token.scorpiox.net/claude | HTTP | 80 | Remote Claude token fetch | Auto/config | scorpiox-claudecode-fetchtoken.c |
http://token.scorpiox.net/codex | HTTP | 80 | Remote Codex token fetch | Auto/config | scorpiox-codex-fetchtoken.c |
http://token.scorpiox.net/gemini | HTTP | 80 | Remote Gemini token fetch | Auto/config | scorpiox-gemini-fetchtoken.c |
https://login.scorpiox.net/ | HTTPS | 443 | JWT issuer validation | Server auth | scorpiox-server.c |
| Endpoint | Protocol | Port | Purpose | Initiated By | File(s) |
|---|---|---|---|---|---|
https://code.scorpiox.net/usage-send | HTTPS | 443 | Token usage reporting | Automatic (after API call) | scorpiox-usage.c |
https://code.scorpiox.net/sessions-send | HTTPS | 443 | Session event telemetry | Automatic (per message) | scorpiox-emit-session.c, sx.c |
| Endpoint | Protocol | Port | Purpose | Initiated By | File(s) |
|---|---|---|---|---|---|
https://dist.scorpiox.net/container-images/ | HTTPS | 443 | Container image downloads | User action (run VM/WSL) | scorpiox-vm.c, scorpiox-wsl.c, scorpiox-unshare.c |
https://dist.scorpiox.net/executables/ | HTTPS | 443 | Binary updates (WSL) | Automatic (update check) | scorpiox-wsl.c |
https://dist.scorpiox.net/executables/scorpiox-wsl.exe | HTTPS | 443 | WSL binary update | Automatic | config_embedded.c |
https://dist.scorpiox.net/executables/scorpiox-whatsapp-bridge-* | HTTPS | 443 | WhatsApp bridge download | User action | scorpiox-whatsapp.c |
https://dist.scorpiox.net/firmware/ | HTTPS | 443 | SeaBIOS firmware download | User action (VM) | scorpiox-vm.c |
https://dist.scorpiox.net/scorpiox/index.txt | HTTPS | 443 | Branch/version auto-detection | Automatic (build/deploy) | sx_config.c |
https://dist.scorpiox.net/scorpiox/sx/scorpiox_code.tar.gz | HTTPS | 443 | Scorpiox code tarball | User action (tmux deploy) | scorpiox-tmux.c |
| Endpoint | Protocol | Port | Purpose | Initiated By | File(s) |
|---|---|---|---|---|---|
https://www.mojeek.com/search?q=… | HTTPS | 443 | Mojeek web search | User action (WebSearch tool) | scorpiox-websearch.c |
https://search.brave.com/search?q=… | HTTPS | 443 | Brave web search | User action (WebSearch tool) | scorpiox-websearch.c |
https://html.duckduckgo.com/html/?q=… | HTTPS | 443 | DuckDuckGo web search | User action (WebSearch tool) | scorpiox-websearch.c |
https://www.google.com/search?q=… | HTTPS | 443 | Google web search | Template (config) | config |
https://www.bing.com/search?q=… | HTTPS | 443 | Bing web search | Template (config) | config |
https://yandex.com/search/?text=… | HTTPS | 443 | Yandex web search | Template (config) | config |
https://www.ecosia.org/search?q=… | HTTPS | 443 | Ecosia web search | Template (config) | config |
https://www.startpage.com/sp/search?query=… | HTTPS | 443 | Startpage web search | Template (config) | config |
https://www.qwant.com/?q=… | HTTPS | 443 | Qwant web search | Template (config) | config |
https://search.yahoo.com/search?p=… | HTTPS | 443 | Yahoo web search | Template (config) | config |
https://searx.be/search?q=… | HTTPS | 443 | SearX web search | Template (config) | config |
| Endpoint | Protocol | Port | Purpose | Initiated By | File(s) |
|---|---|---|---|---|---|
https://whisper.scorpiox.net/ | HTTPS | 443 | Speech-to-text (Whisper API) | User action (voice cmd) | scorpiox-voice.c |
| Service | Protocol | Default Port | Purpose | File(s) |
|---|---|---|---|---|
| HTTP Server | TCP/HTTP | 8080 | CGI-style script server | scorpiox-server.c |
| Host API Server | TCP/HTTP | 7432 | Agent host control API | scorpiox-host.c |
| Fetchtoken Server | TCP | 9800 | Token bridge (TCP→HTTP) | scorpiox-server-fetchtoken.c |
| HTTP-to-TCP Relay | TCP | 9801 | HTTP relay for TLS-free clients | scorpiox-server-http2tcp.c |
| DNS Server | UDP+TCP | 53 | Local DNS (*.scorpiox.net zone) | scorpiox-dns.c |
| SMTP Server | TCP | 25, 587 | Mail Transfer Agent | scorpiox-server-email.c |
| IMAP Server | TCP | 993 | Mail retrieval | scorpiox-server-email.c |
| WebSocket Bridge | TCP/WS | 6080 | WebSocket-to-TCP (noVNC) | bridge/ws2tcp.c |
| Beam Transfer | TCP | 9876 | File transfer service | scorpiox-beam.c |
| SDK Host Server | TCP/HTTP | 7432 | SDK agent orchestration | scorpiox-sdk.c |
| CDP Connection | TCP | 9222 | Chrome DevTools Protocol | scorpiox-fetch.c |
| Endpoint / Service | Protocol | Port | Purpose | File(s) |
|---|---|---|---|---|
TCP_HOST (default: 20.53.240.54 or proxy.scorpiox.net) | TCP | 9800 | Token fetch via raw TCP | sx_tcp_fetch.c |
anthropic.scorpiox.net | HTTPS | 443 | Claude Code API proxy | sx_provider_claude_code.c |
relay.scorpiox.net | TCP | 9801 | HTTP relay host | config_embedded.c |
| FRP server (configurable) | TCP+TLS | 7000 | Reverse proxy tunneling | sx_frp.c |
localhost:3001 | TCP | 3001 | PowerShell remoting | config (PWSH_HOST) |
http://localhost:8087/claude | HTTP | 8087 | Local fetchtoken upstream | scorpiox-server-fetchtoken.c |
http://localhost:9100 | HTTP | 9100 | Local service (config example) | config |
| SSH targets (configurable) | TCP | 22/22223 | Remote token fetch via SSH | scorpiox-claudecode-fetchtoken.c |
| IP Address | Context | File(s) |
|---|---|---|
20.53.240.54 | Default TCP_HOST for fetchtoken (Azure IP) | config_embedded.c |
192.168.1.12 | Antigravity LAN proxy | config_embedded.c |
192.168.1.204 | Antigravity LAN proxy (alt) | config |
192.168.1.6 | Default CLAUDE_CODE_SSH_HOST | config_embedded.c |
192.168.1.3 | Default TMUX_REMOTE_HOST | config_embedded.c |
127.0.0.1 | Localhost (relay, SDK, various) | Multiple files |
0.0.0.0 | DNS bind address | scorpiox-dns.c |
8.8.8.8, 1.1.1.1 | Default DNS upstream | scorpiox-dns.c |
sx_http.c wraps libcurl for all native HTTP/HTTPS operationssx_http_wasm.c uses browser fetch() APIsx_http_relay.c provides a TCP-based relay for environments without libcurl/TLSsx_tcp_fetch.c — multi-host failover, SXV1 protocol with AUTH, backward compatscorpiox-beam.c — direct TCP with checksum verificationscorpiox-server.c — custom HTTP/1.1 server with fork-per-requestscorpiox-dns.c — UDP + TCP DNS on port 53sx_frp.c — full FRP client protocol (yamux multiplexing over TCP)bridge/ws2tcp.c — WebSocket-to-TCP for noVNCscorpiox-fetch.c — WebSocket to Chrome DevTools Protocol for browser renderinglibtb4/tb4_transport.c — BPF-based raw Ethernet frames (macOS only)0x88B5 (custom)scorpiox-email.c — libcurl-based SMTP client (STARTTLS/SSL/plain)scorpiox-server-email.c — SMTP MTA + IMAP server (mbedTLS for TLS)sxmail_queue.c — outbound delivery with MX resolution and retryEMIT_SESSION_TRACKING)EMIT_SESSION_TRACKING=1 in config (default: 0 in native, 1 in WASM embedded config)https://code.scorpiox.net/sessions-sendsystem() call to scorpiox-emit-session binary (runs in background)sx.c (report_emit_session_async), scorpiox-emit-session.c/tmp/sx_emit_*.txt temp files before sending.USAGE_TRACKING)USAGE_TRACKING not equal to 0 (not explicitly disabled)https://code.scorpiox.net/usage-sendscorpiox-usage.csx_cache_keepalive.c.scorpiox/traffics/ and .scorpiox/sessions/Multiple files disable SSL peer and host verification:
| File | Code | Risk |
|---|---|---|
scorpiox-claudecode-fetchtoken.c:341-342 | CURLOPT_SSL_VERIFYPEER=0, CURLOPT_SSL_VERIFYHOST=0 | HIGH — OAuth token fetch with no cert validation |
scorpiox-claudecode-refreshtoken.c:341-342 | CURLOPT_SSL_VERIFYPEER=0, CURLOPT_SSL_VERIFYHOST=0 | HIGH — OAuth refresh with no cert validation |
scorpiox-codex-fetchtoken.c:437-438 | CURLOPT_SSL_VERIFYPEER=0, CURLOPT_SSL_VERIFYHOST=0 | HIGH — Codex token fetch |
scorpiox-codex-refreshtoken.c:464-465 | CURLOPT_SSL_VERIFYPEER=0, CURLOPT_SSL_VERIFYHOST=0 | HIGH — Codex token refresh |
scorpiox-gemini-fetchtoken.c:125-126 | CURLOPT_SSL_VERIFYPEER=0, CURLOPT_SSL_VERIFYHOST=0 | HIGH — Gemini token fetch |
scorpiox-email.c:342-343 | CURLOPT_SSL_VERIFYPEER=0, CURLOPT_SSL_VERIFYHOST=0 | MEDIUM — Email SMTP client |
scorpiox-traffic.c:980 | setenv("CURLOPT_SSL_VERIFYPEER", "0", 1) | MEDIUM — Traffic capture proxy |
sxmail_tls.c:185 | MBEDTLS_SSL_VERIFY_NONE | MEDIUM — Mail TLS |
sxmail_queue.c:532 | MBEDTLS_SSL_VERIFY_NONE | MEDIUM — Outbound SMTP relay TLS |
sx_frp.c:1105 | MBEDTLS_SSL_VERIFY_NONE | MEDIUM — FRP tunnel TLS |
CURLOPT_CAINFO), then fall back to disabling verification. This suggests a development/portability workaround that was never properly resolved.
sx_http.c:153 — Sets CURLOPT_CAINFO if SX_CA_BUNDLE config is availablescorpiox-pwsh.c:353 — Properly sets CA infosx_http.c HTTP client does NOT disable cert verification by default (only specific tools do)Several token fetch endpoints use plain HTTP (not HTTPS):
http://token.scorpiox.net/claude — OAuth tokens over HTTPhttp://token.scorpiox.net/codex — OAuth tokens over HTTP http://token.scorpiox.net/gemini — OAuth tokens over HTTPhttp://scorpiox.net:5176 — Router URL over HTTPhttp://192.168.1.12:8045/v1/messages — API proxy on LAN (HTTP)20.53.240.54:9800 — Raw TCP token fetch (no encryption)User Input → sx.c → sx_agent.c → sx_provider_*.c
│
┌──────────────────────┼──────────────────────┐
▼ ▼ ▼
api.anthropic.com chatgpt.com/backend-api googleapis.com
(Claude API) (Codex API) (Gemini API)
│ │ │
▼ ▼ ▼
AI Response → sx_agent.c → sx.c → Display
│
├── emit_session_msg() ──→ code.scorpiox.net/sessions-send
└── scorpiox-usage ──────→ code.scorpiox.net/usage-send
sx_provider_claude_code.c → load_oauth_token_ex()
│
├── LOCAL: Read ~/.claude/.credentials.json (no network)
├── SSH: SSH to CLAUDE_CODE_SSH_HOST → read credentials
├── REMOTE: HTTP GET http://token.scorpiox.net/claude
└── TCP: Raw TCP to TCP_HOST:TCP_PORT (SXV1 protocol)
│
▼
scorpiox-server-fetchtoken (TCP:9800)
│
▼
HTTP upstream (localhost:8087/claude)
scorpiox-wsl.c → check_for_update()
│
▼
dist.scorpiox.net/executables/scorpiox-wsl.exe
│
▼
Compare binary size → Replace if different
scorpiox-vm.c → download VM images / BIOS firmware
│
▼
dist.scorpiox.net/container-images/
dist.scorpiox.net/firmware/bios-256k.bin
Local Service (port N) ←── sx_frp.c ──→ frps server (port 7000)
TCP + yamux │
AES-128-CFB ▼
(optional TLS) Remote clients
| Key | Value | File |
|---|---|---|
ANTHROPIC_ANTIGRAVITY_KEY | sk-6088a10dc3c1473cac567069b0e557f6 | config_embedded.c |
ANTHROPIC_ZAI_KEY | 9c6fba5db3f84613aaf8700b05990835.ue19jY48d9GmddqX | config_embedded.c |
These are compiled into the WASM binary and could be extracted by anyone with access to it.
All domains below are resolved via getaddrinfo() or libcurl's internal resolver:
api.anthropic.com — AI APIconsole.anthropic.com — OAuthauth.openai.com — OAuthchatgpt.com — Codex APIgenerativelanguage.googleapis.com — Gemini APIapi.z.ai — Z.AI proxyapi.openai.com — OpenAI API*.scorpiox.net — Multiple services (token, dist, code, whisper, login, opus, relay, etc.)search.brave.com, www.mojeek.com, html.duckduckgo.com — Web search enginesscorpiox-dns.c)*.scorpiox.net8.8.8.8 and 1.1.1.1 (configurable)DNS_AUDIT_LOG=1)| # | Risk | Severity | Description |
|---|---|---|---|
| 1 | Hardcoded API keys in WASM config | 🔴 CRITICAL | ANTHROPIC_ANTIGRAVITY_KEY and ANTHROPIC_ZAI_KEY embedded in source. Can be extracted from compiled WASM. |
| 2 | SSL verification disabled across token fetchers | 🔴 CRITICAL | 6+ files disable SSL_VERIFYPEER and SSL_VERIFYHOST. OAuth tokens (bearing full API access) are fetched without certificate validation, enabling MITM attacks. |
| 3 | OAuth tokens transported over plain HTTP | 🔴 CRITICAL | token.scorpiox.net endpoints use http:// (not https://). Tokens can be intercepted on the network. |
| 4 | Raw TCP token transport (no encryption) | 🟠 HIGH | sx_tcp_fetch.c sends token requests over unencrypted TCP to 20.53.240.54:9800. API keys (SXV1 AUTH=key) sent in plaintext. |
| # | Risk | Severity | Description |
|---|---|---|---|
| 5 | Hardcoded LAN IP addresses | 🟠 HIGH | Private IPs (192.168.1.x) hardcoded in embedded config. Could expose internal network topology. |
| 6 | Full message telemetry | 🟠 HIGH | When EMIT_SESSION_TRACKING=1, complete user prompts and AI responses are POSTed to code.scorpiox.net. Temp files written to /tmp/. |
| 7 | FRP tunnel with VERIFY_NONE | 🟠 HIGH | FRP client TLS uses MBEDTLS_SSL_VERIFY_NONE. Tunnel endpoint identity not verified. |
| 8 | Auto-update with no code signing | 🟠 HIGH | scorpiox-wsl.c downloads and replaces its own binary from dist.scorpiox.net without signature verification. Only file size comparison. |
| # | Risk | Severity | Description |
|---|---|---|---|
| 9 | SMTP with disabled cert verification | 🟡 MEDIUM | Email client and outbound queue disable TLS verification. |
| 10 | DNS server on port 53 | 🟡 MEDIUM | Built-in DNS server could be used for DNS spoofing if misconfigured. |
| 11 | Multiple listening services | 🟡 MEDIUM | 10+ server components bind to various ports. Attack surface is broad. |
| 12 | fire-and-forget telemetry via system() | 🟡 MEDIUM | sx.c uses system() to spawn telemetry process. Command injection risk if session IDs are not sanitized. |
| # | Risk | Severity | Description |
|---|---|---|---|
| 13 | Web search scraping | 🟢 LOW | Multiple search engines contacted; user-agent spoofing as Chrome. |
| 14 | Voice audio upload | 🟢 LOW | Audio files uploaded to whisper.scorpiox.net for transcription. User-initiated. |
| 15 | Thunderbolt raw ethernet | 🟢 LOW | Custom EtherType 0x88B5 protocol. Requires root/BPF. macOS only. |
sx_config_embedded.c. Use environment variables or secure key management.SSL_VERIFYPEER=0 fallbacks.token.scorpiox.net endpoints from http:// to https://.sx_tcp_fetch.c), or migrate to HTTPS.system() calls in telemetry.*_API_URL configs).