# Network Communications Audit Report

**Codebase:** scorpiox/clang  
**Audit Date:** 2026-04-28  
**Auditor:** Security Audit Agent  
**Scope:** All network-related function calls, endpoints, protocols, and telemetry

---

## 1. Network Activity Summary

The scorpiox codebase is a **highly network-active** application suite. It contains:

- **~90+ source files** (non-vendor) with network-related code
- **Multiple AI provider integrations** (Anthropic, OpenAI/Codex, Gemini, custom routers)
- **Custom server infrastructure** (HTTP server, DNS server, SMTP/IMAP server, fetchtoken server, FRP tunnel server)
- **Telemetry subsystems** (session tracking, usage reporting)
- **Distribution/update system** (auto-download binaries, container images, firmware)
- **Peripheral network tools** (web search, voice transcription, file transfer, WebSocket bridge)

### Key Libraries Used
| Library | Purpose | Files |
|---------|---------|-------|
| **libcurl** | HTTP/HTTPS client (native builds) | sx_http.c, all provider_*.c, email, fetchtoken, etc. |
| **mbedTLS** | TLS for SMTP/FRP/mail (non-curl paths) | sx_frp.c, sxmail_tls.c, sxmail_queue.c |
| **POSIX sockets** | Raw TCP (fetchtoken, beam, server, DNS) | sx_tcp_fetch.c, scorpiox-beam.c, scorpiox-server.c, scorpiox-dns.c |
| **BPF (macOS)** | Raw Ethernet over Thunderbolt 4 | libtb4/tb4_transport.c |

---

## 2. Endpoint Inventory

### 2.1 AI Provider API Endpoints

| Endpoint | Protocol | Port | Purpose | Initiated By | File(s) |
|----------|----------|------|---------|-------------|---------|
| `https://api.anthropic.com/v1/messages` | HTTPS | 443 | Anthropic Claude API (direct) | User action (chat) | sx_provider_anthropic.c, sx_provider_claude_code.c |
| `https://api.anthropic.com/v1/messages?beta=true` | HTTPS | 443 | Anthropic Claude API (beta features) | User action (chat) | sx_provider_claude_code.c |
| `https://api.anthropic.com/v1/models` | HTTPS | 443 | List available models | User action (models cmd) | scorpiox-claudecode-models.c |
| `https://chatgpt.com/backend-api/codex/responses` | HTTPS | 443 | OpenAI Codex API | User action (chat) | sx_provider_codex.c |
| `https://api.openai.com/v1/chat/completions` | HTTPS | 443 | OpenAI Chat Completions | User action (chat) | scorpiox-openai.c |
| `https://generativelanguage.googleapis.com/v1beta` | HTTPS | 443 | Google Gemini API | User action (chat) | scorpiox-gemini.c |
| `https://api.z.ai/api/anthropic/v1/messages` | HTTPS | 443 | Z.AI proxy for Anthropic | User action (chat) | sx_provider_anthropic.c, config |
| `http://192.168.1.12:8045/v1/messages` | HTTP | 8045 | Antigravity proxy (LAN) | User action (chat) | config_embedded.c |
| `http://192.168.1.204:8045/v1/messages` | HTTP | 8045 | Antigravity proxy (LAN, alt) | User action (chat) | config |
| `https://opus.scorpiox.net` | HTTPS | 443 | ScorpioX OpenAI-compat endpoint | User action (chat) | config_embedded.c |
| `https://qwen3-coder-next.scorpiox.net` | HTTPS | 443 | Qwen3 coder endpoint | User action (chat) | scorpiox-openai.c (example) |
| `http://scorpiox.net:5176` | HTTP | 5176 | ScorpioX router (WASM default) | User action (chat) | config_embedded.c |
| `https://scorpiox.net/api` | HTTPS | 443 | ScorpioX API | User action | config |

### 2.2 OAuth / Token Endpoints

| Endpoint | Protocol | Port | Purpose | Initiated By | File(s) |
|----------|----------|------|---------|-------------|---------|
| `https://console.anthropic.com/v1/oauth/token` | HTTPS | 443 | Claude Code OAuth token refresh | Automatic (token expiry) | scorpiox-claudecode-refreshtoken.c |
| `https://auth.openai.com/oauth/token` | HTTPS | 443 | Codex OAuth token refresh | Automatic (token expiry) | scorpiox-codex-refreshtoken.c |
| `http://token.scorpiox.net/claude` | HTTP | 80 | Remote Claude token fetch | Auto/config | scorpiox-claudecode-fetchtoken.c |
| `http://token.scorpiox.net/codex` | HTTP | 80 | Remote Codex token fetch | Auto/config | scorpiox-codex-fetchtoken.c |
| `http://token.scorpiox.net/gemini` | HTTP | 80 | Remote Gemini token fetch | Auto/config | scorpiox-gemini-fetchtoken.c |
| `https://login.scorpiox.net/` | HTTPS | 443 | JWT issuer validation | Server auth | scorpiox-server.c |

### 2.3 Telemetry / Reporting Endpoints

| Endpoint | Protocol | Port | Purpose | Initiated By | File(s) |
|----------|----------|------|---------|-------------|---------|
| `https://code.scorpiox.net/usage-send` | HTTPS | 443 | Token usage reporting | Automatic (after API call) | scorpiox-usage.c |
| `https://code.scorpiox.net/sessions-send` | HTTPS | 443 | Session event telemetry | Automatic (per message) | scorpiox-emit-session.c, sx.c |

### 2.4 Distribution / Update Endpoints

| Endpoint | Protocol | Port | Purpose | Initiated By | File(s) |
|----------|----------|------|---------|-------------|---------|
| `https://dist.scorpiox.net/container-images/` | HTTPS | 443 | Container image downloads | User action (run VM/WSL) | scorpiox-vm.c, scorpiox-wsl.c, scorpiox-unshare.c |
| `https://dist.scorpiox.net/executables/` | HTTPS | 443 | Binary updates (WSL) | Automatic (update check) | scorpiox-wsl.c |
| `https://dist.scorpiox.net/executables/scorpiox-wsl.exe` | HTTPS | 443 | WSL binary update | Automatic | config_embedded.c |
| `https://dist.scorpiox.net/executables/scorpiox-whatsapp-bridge-*` | HTTPS | 443 | WhatsApp bridge download | User action | scorpiox-whatsapp.c |
| `https://dist.scorpiox.net/firmware/` | HTTPS | 443 | SeaBIOS firmware download | User action (VM) | scorpiox-vm.c |
| `https://dist.scorpiox.net/scorpiox/index.txt` | HTTPS | 443 | Branch/version auto-detection | Automatic (build/deploy) | sx_config.c |
| `https://dist.scorpiox.net/scorpiox/sx/scorpiox_code.tar.gz` | HTTPS | 443 | Scorpiox code tarball | User action (tmux deploy) | scorpiox-tmux.c |

### 2.5 Web Search Endpoints

| Endpoint | Protocol | Port | Purpose | Initiated By | File(s) |
|----------|----------|------|---------|-------------|---------|
| `https://www.mojeek.com/search?q=…` | HTTPS | 443 | Mojeek web search | User action (WebSearch tool) | scorpiox-websearch.c |
| `https://search.brave.com/search?q=…` | HTTPS | 443 | Brave web search | User action (WebSearch tool) | scorpiox-websearch.c |
| `https://html.duckduckgo.com/html/?q=…` | HTTPS | 443 | DuckDuckGo web search | User action (WebSearch tool) | scorpiox-websearch.c |
| `https://www.google.com/search?q=…` | HTTPS | 443 | Google web search | Template (config) | config |
| `https://www.bing.com/search?q=…` | HTTPS | 443 | Bing web search | Template (config) | config |
| `https://yandex.com/search/?text=…` | HTTPS | 443 | Yandex web search | Template (config) | config |
| `https://www.ecosia.org/search?q=…` | HTTPS | 443 | Ecosia web search | Template (config) | config |
| `https://www.startpage.com/sp/search?query=…` | HTTPS | 443 | Startpage web search | Template (config) | config |
| `https://www.qwant.com/?q=…` | HTTPS | 443 | Qwant web search | Template (config) | config |
| `https://search.yahoo.com/search?p=…` | HTTPS | 443 | Yahoo web search | Template (config) | config |
| `https://searx.be/search?q=…` | HTTPS | 443 | SearX web search | Template (config) | config |

### 2.6 Voice / Whisper Endpoint

| Endpoint | Protocol | Port | Purpose | Initiated By | File(s) |
|----------|----------|------|---------|-------------|---------|
| `https://whisper.scorpiox.net/` | HTTPS | 443 | Speech-to-text (Whisper API) | User action (voice cmd) | scorpiox-voice.c |

### 2.7 Server / Listening Services

| Service | Protocol | Default Port | Purpose | File(s) |
|---------|----------|-------------|---------|---------|
| HTTP Server | TCP/HTTP | 8080 | CGI-style script server | scorpiox-server.c |
| Host API Server | TCP/HTTP | 7432 | Agent host control API | scorpiox-host.c |
| Fetchtoken Server | TCP | 9800 | Token bridge (TCP→HTTP) | scorpiox-server-fetchtoken.c |
| HTTP-to-TCP Relay | TCP | 9801 | HTTP relay for TLS-free clients | scorpiox-server-http2tcp.c |
| DNS Server | UDP+TCP | 53 | Local DNS (*.scorpiox.net zone) | scorpiox-dns.c |
| SMTP Server | TCP | 25, 587 | Mail Transfer Agent | scorpiox-server-email.c |
| IMAP Server | TCP | 993 | Mail retrieval | scorpiox-server-email.c |
| WebSocket Bridge | TCP/WS | 6080 | WebSocket-to-TCP (noVNC) | bridge/ws2tcp.c |
| Beam Transfer | TCP | 9876 | File transfer service | scorpiox-beam.c |
| SDK Host Server | TCP/HTTP | 7432 | SDK agent orchestration | scorpiox-sdk.c |
| CDP Connection | TCP | 9222 | Chrome DevTools Protocol | scorpiox-fetch.c |

### 2.8 Internal / Infrastructure

| Endpoint / Service | Protocol | Port | Purpose | File(s) |
|-------------------|----------|------|---------|---------|
| TCP_HOST (default: `20.53.240.54` or `proxy.scorpiox.net`) | TCP | 9800 | Token fetch via raw TCP | sx_tcp_fetch.c |
| `anthropic.scorpiox.net` | HTTPS | 443 | Claude Code API proxy | sx_provider_claude_code.c |
| `relay.scorpiox.net` | TCP | 9801 | HTTP relay host | config_embedded.c |
| FRP server (configurable) | TCP+TLS | 7000 | Reverse proxy tunneling | sx_frp.c |
| `localhost:3001` | TCP | 3001 | PowerShell remoting | config (PWSH_HOST) |
| `http://localhost:8087/claude` | HTTP | 8087 | Local fetchtoken upstream | scorpiox-server-fetchtoken.c |
| `http://localhost:9100` | HTTP | 9100 | Local service (config example) | config |
| SSH targets (configurable) | TCP | 22/22223 | Remote token fetch via SSH | scorpiox-claudecode-fetchtoken.c |

### 2.9 Hardcoded IP Addresses

| IP Address | Context | File(s) |
|-----------|---------|---------|
| `20.53.240.54` | Default TCP_HOST for fetchtoken (Azure IP) | config_embedded.c |
| `192.168.1.12` | Antigravity LAN proxy | config_embedded.c |
| `192.168.1.204` | Antigravity LAN proxy (alt) | config |
| `192.168.1.6` | Default CLAUDE_CODE_SSH_HOST | config_embedded.c |
| `192.168.1.3` | Default TMUX_REMOTE_HOST | config_embedded.c |
| `127.0.0.1` | Localhost (relay, SDK, various) | Multiple files |
| `0.0.0.0` | DNS bind address | scorpiox-dns.c |
| `8.8.8.8`, `1.1.1.1` | Default DNS upstream | scorpiox-dns.c |

---

## 3. Protocol Analysis

### 3.1 HTTP/HTTPS (via libcurl)
- **Implementation:** `sx_http.c` wraps libcurl for all native HTTP/HTTPS operations
- **WASM alternative:** `sx_http_wasm.c` uses browser `fetch()` API
- **Relay mode:** `sx_http_relay.c` provides a TCP-based relay for environments without libcurl/TLS
- **Features:** Streaming SSE support, header callbacks, progress/cancel, timeout control

### 3.2 Raw TCP (POSIX sockets)
- **Token fetch:** `sx_tcp_fetch.c` — multi-host failover, SXV1 protocol with AUTH, backward compat
- **File transfer:** `scorpiox-beam.c` — direct TCP with checksum verification
- **Server:** `scorpiox-server.c` — custom HTTP/1.1 server with fork-per-request
- **DNS:** `scorpiox-dns.c` — UDP + TCP DNS on port 53

### 3.3 FRP Tunneling
- **Implementation:** `sx_frp.c` — full FRP client protocol (yamux multiplexing over TCP)
- **Crypto:** AES-128-CFB on control stream (PBKDF2 key derivation, mbedTLS)
- **Optional TLS:** mbedTLS wrapping before yamux layer
- **Purpose:** Expose local services through NAT via remote frps server

### 3.4 WebSocket
- **ws2tcp bridge:** `bridge/ws2tcp.c` — WebSocket-to-TCP for noVNC
- **CDP:** `scorpiox-fetch.c` — WebSocket to Chrome DevTools Protocol for browser rendering

### 3.5 Raw Ethernet (Thunderbolt 4)
- **Implementation:** `libtb4/tb4_transport.c` — BPF-based raw Ethernet frames (macOS only)
- **EtherType:** `0x88B5` (custom)
- **Features:** Stream protocol with sliding window, ACK, keepalive, SYN handshake
- **Purpose:** High-speed local file/data transfer between Thunderbolt-connected machines

### 3.6 SMTP/IMAP
- **Client:** `scorpiox-email.c` — libcurl-based SMTP client (STARTTLS/SSL/plain)
- **Server:** `scorpiox-server-email.c` — SMTP MTA + IMAP server (mbedTLS for TLS)
- **Queue:** `sxmail_queue.c` — outbound delivery with MX resolution and retry

---

## 4. Telemetry Assessment

**Rating: MODERATE — opt-in telemetry with fire-and-forget pattern**

### 4.1 Session Event Telemetry (`EMIT_SESSION_TRACKING`)
- **Gate:** Requires `EMIT_SESSION_TRACKING=1` in config (default: `0` in native, `1` in WASM embedded config)
- **Endpoint:** `https://code.scorpiox.net/sessions-send`
- **Data sent:** Session ID, message sequence, message type (user/assistant/tool_call/etc.), message text, provider name, model name
- **Machine metadata:** hostname, username, OS, arch, OS version, scorpiox version
- **Mechanism:** Fire-and-forget via `system()` call to `scorpiox-emit-session` binary (runs in background)
- **Files:** `sx.c` (report_emit_session_async), `scorpiox-emit-session.c`
- **⚠ RISK:** When enabled, **full message content** (including user prompts and AI responses) is sent to the telemetry server. Message text is written to `/tmp/sx_emit_*.txt` temp files before sending.

### 4.2 Token Usage Telemetry (`USAGE_TRACKING`)
- **Gate:** Requires `USAGE_TRACKING` not equal to `0` (not explicitly disabled)
- **Endpoint:** `https://code.scorpiox.net/usage-send`
- **Data sent:** Session ID, provider, model, token counts (input/output/cache), machine metadata
- **Mechanism:** POST via libcurl/sx_http
- **Files:** `scorpiox-usage.c`

### 4.3 Cache Keepalive (NOT telemetry)
- **Purpose:** Prevents AI context cache from expiring by sending lightweight ping messages
- **Mechanism:** Timer thread sets a flag; main loop sends a normal API message through the standard provider
- **Network impact:** Additional API requests to the AI provider (e.g., Anthropic)
- **NOT external telemetry** — this is functional cache management
- **Files:** `sx_cache_keepalive.c`

### 4.4 Traffic Logging (Local)
- **Purpose:** Debug logging of API request/response bodies
- **Storage:** Local files under `.scorpiox/traffics/` and `.scorpiox/sessions/`
- **NOT network telemetry** — all local disk

---

## 5. TLS/SSL Security Assessment

### 5.1 Certificate Validation Disabled (⚠ HIGH RISK)

Multiple files **disable SSL peer and host verification**:

| File | Code | Risk |
|------|------|------|
| `scorpiox-claudecode-fetchtoken.c:341-342` | `CURLOPT_SSL_VERIFYPEER=0, CURLOPT_SSL_VERIFYHOST=0` | **HIGH** — OAuth token fetch with no cert validation |
| `scorpiox-claudecode-refreshtoken.c:341-342` | `CURLOPT_SSL_VERIFYPEER=0, CURLOPT_SSL_VERIFYHOST=0` | **HIGH** — OAuth refresh with no cert validation |
| `scorpiox-codex-fetchtoken.c:437-438` | `CURLOPT_SSL_VERIFYPEER=0, CURLOPT_SSL_VERIFYHOST=0` | **HIGH** — Codex token fetch |
| `scorpiox-codex-refreshtoken.c:464-465` | `CURLOPT_SSL_VERIFYPEER=0, CURLOPT_SSL_VERIFYHOST=0` | **HIGH** — Codex token refresh |
| `scorpiox-gemini-fetchtoken.c:125-126` | `CURLOPT_SSL_VERIFYPEER=0, CURLOPT_SSL_VERIFYHOST=0` | **HIGH** — Gemini token fetch |
| `scorpiox-email.c:342-343` | `CURLOPT_SSL_VERIFYPEER=0, CURLOPT_SSL_VERIFYHOST=0` | **MEDIUM** — Email SMTP client |
| `scorpiox-traffic.c:980` | `setenv("CURLOPT_SSL_VERIFYPEER", "0", 1)` | **MEDIUM** — Traffic capture proxy |
| `sxmail_tls.c:185` | `MBEDTLS_SSL_VERIFY_NONE` | **MEDIUM** — Mail TLS |
| `sxmail_queue.c:532` | `MBEDTLS_SSL_VERIFY_NONE` | **MEDIUM** — Outbound SMTP relay TLS |
| `sx_frp.c:1105` | `MBEDTLS_SSL_VERIFY_NONE` | **MEDIUM** — FRP tunnel TLS |

**Pattern observed:** Most files attempt CA bundle loading first (`CURLOPT_CAINFO`), then fall back to disabling verification. This suggests a development/portability workaround that was never properly resolved.

### 5.2 Proper TLS Usage
- `sx_http.c:153` — Sets `CURLOPT_CAINFO` if `SX_CA_BUNDLE` config is available
- `scorpiox-pwsh.c:353` — Properly sets CA info
- The main `sx_http.c` HTTP client does **NOT** disable cert verification by default (only specific tools do)

### 5.3 Token Transport Over HTTP (⚠ RISK)
Several token fetch endpoints use **plain HTTP** (not HTTPS):
- `http://token.scorpiox.net/claude` — OAuth tokens over HTTP
- `http://token.scorpiox.net/codex` — OAuth tokens over HTTP  
- `http://token.scorpiox.net/gemini` — OAuth tokens over HTTP
- `http://scorpiox.net:5176` — Router URL over HTTP
- `http://192.168.1.12:8045/v1/messages` — API proxy on LAN (HTTP)
- TCP_HOST `20.53.240.54:9800` — Raw TCP token fetch (no encryption)

---

## 6. Data Flow Diagrams

### 6.1 AI Chat Flow
```
User Input → sx.c → sx_agent.c → sx_provider_*.c
                                       │
                ┌──────────────────────┼──────────────────────┐
                ▼                      ▼                      ▼
        api.anthropic.com    chatgpt.com/backend-api   googleapis.com
        (Claude API)         (Codex API)               (Gemini API)
                │                      │                      │
                ▼                      ▼                      ▼
           AI Response → sx_agent.c → sx.c → Display
                                       │
                                       ├── emit_session_msg() ──→ code.scorpiox.net/sessions-send
                                       └── scorpiox-usage ──────→ code.scorpiox.net/usage-send
```

### 6.2 Token Acquisition Flow
```
sx_provider_claude_code.c → load_oauth_token_ex()
      │
      ├── LOCAL:  Read ~/.claude/.credentials.json (no network)
      ├── SSH:    SSH to CLAUDE_CODE_SSH_HOST → read credentials
      ├── REMOTE: HTTP GET http://token.scorpiox.net/claude
      └── TCP:    Raw TCP to TCP_HOST:TCP_PORT (SXV1 protocol)
                       │
                       ▼
              scorpiox-server-fetchtoken (TCP:9800)
                       │
                       ▼
              HTTP upstream (localhost:8087/claude)
```

### 6.3 Update/Distribution Flow
```
scorpiox-wsl.c → check_for_update()
      │
      ▼
  dist.scorpiox.net/executables/scorpiox-wsl.exe
      │
      ▼
  Compare binary size → Replace if different

scorpiox-vm.c → download VM images / BIOS firmware
      │
      ▼
  dist.scorpiox.net/container-images/
  dist.scorpiox.net/firmware/bios-256k.bin
```

### 6.4 FRP Tunnel Flow
```
Local Service (port N) ←── sx_frp.c ──→ frps server (port 7000)
                          TCP + yamux      │
                          AES-128-CFB      ▼
                          (optional TLS)  Remote clients
```

---

## 7. Embedded Credentials / API Keys

**⚠ CRITICAL FINDING:** The WASM embedded configuration contains hardcoded API keys:

| Key | Value | File |
|-----|-------|------|
| `ANTHROPIC_ANTIGRAVITY_KEY` | `sk-6088a10dc3c1473cac567069b0e557f6` | config_embedded.c |
| `ANTHROPIC_ZAI_KEY` | `9c6fba5db3f84613aaf8700b05990835.ue19jY48d9GmddqX` | config_embedded.c |

These are compiled into the WASM binary and could be extracted by anyone with access to it.

---

## 8. DNS Resolution Analysis

### 8.1 Domains Resolved at Runtime
All domains below are resolved via `getaddrinfo()` or libcurl's internal resolver:

- `api.anthropic.com` — AI API
- `console.anthropic.com` — OAuth
- `auth.openai.com` — OAuth
- `chatgpt.com` — Codex API
- `generativelanguage.googleapis.com` — Gemini API
- `api.z.ai` — Z.AI proxy
- `api.openai.com` — OpenAI API
- `*.scorpiox.net` — Multiple services (token, dist, code, whisper, login, opus, relay, etc.)
- `search.brave.com`, `www.mojeek.com`, `html.duckduckgo.com` — Web search engines
- Various other search engines (Google, Bing, Yahoo, Yandex, Ecosia, Startpage, Qwant, SearX)
- User-configured SMTP hosts, FRP servers, SSH hosts

### 8.2 DNS Server (`scorpiox-dns.c`)
- **Built-in DNS server** that can serve custom zones for `*.scorpiox.net`
- **Upstream forwarding** to `8.8.8.8` and `1.1.1.1` (configurable)
- **Split-horizon** support (different IPs for LAN vs WAN)
- **Active caching** with background refresh
- **DNS audit logging** (opt-in via `DNS_AUDIT_LOG=1`)

---

## 9. Risk Assessment

### Critical Risks

| # | Risk | Severity | Description |
|---|------|----------|-------------|
| 1 | **Hardcoded API keys in WASM config** | 🔴 CRITICAL | `ANTHROPIC_ANTIGRAVITY_KEY` and `ANTHROPIC_ZAI_KEY` embedded in source. Can be extracted from compiled WASM. |
| 2 | **SSL verification disabled across token fetchers** | 🔴 CRITICAL | 6+ files disable `SSL_VERIFYPEER` and `SSL_VERIFYHOST`. OAuth tokens (bearing full API access) are fetched without certificate validation, enabling MITM attacks. |
| 3 | **OAuth tokens transported over plain HTTP** | 🔴 CRITICAL | `token.scorpiox.net` endpoints use `http://` (not `https://`). Tokens can be intercepted on the network. |
| 4 | **Raw TCP token transport (no encryption)** | 🟠 HIGH | `sx_tcp_fetch.c` sends token requests over unencrypted TCP to `20.53.240.54:9800`. API keys (`SXV1 AUTH=key`) sent in plaintext. |

### High Risks

| # | Risk | Severity | Description |
|---|------|----------|-------------|
| 5 | **Hardcoded LAN IP addresses** | 🟠 HIGH | Private IPs (192.168.1.x) hardcoded in embedded config. Could expose internal network topology. |
| 6 | **Full message telemetry** | 🟠 HIGH | When `EMIT_SESSION_TRACKING=1`, complete user prompts and AI responses are POSTed to `code.scorpiox.net`. Temp files written to `/tmp/`. |
| 7 | **FRP tunnel with VERIFY_NONE** | 🟠 HIGH | FRP client TLS uses `MBEDTLS_SSL_VERIFY_NONE`. Tunnel endpoint identity not verified. |
| 8 | **Auto-update with no code signing** | 🟠 HIGH | `scorpiox-wsl.c` downloads and replaces its own binary from `dist.scorpiox.net` without signature verification. Only file size comparison. |

### Medium Risks

| # | Risk | Severity | Description |
|---|------|----------|-------------|
| 9 | **SMTP with disabled cert verification** | 🟡 MEDIUM | Email client and outbound queue disable TLS verification. |
| 10 | **DNS server on port 53** | 🟡 MEDIUM | Built-in DNS server could be used for DNS spoofing if misconfigured. |
| 11 | **Multiple listening services** | 🟡 MEDIUM | 10+ server components bind to various ports. Attack surface is broad. |
| 12 | **fire-and-forget telemetry via system()** | 🟡 MEDIUM | `sx.c` uses `system()` to spawn telemetry process. Command injection risk if session IDs are not sanitized. |

### Low Risks

| # | Risk | Severity | Description |
|---|------|----------|-------------|
| 13 | **Web search scraping** | 🟢 LOW | Multiple search engines contacted; user-agent spoofing as Chrome. |
| 14 | **Voice audio upload** | 🟢 LOW | Audio files uploaded to `whisper.scorpiox.net` for transcription. User-initiated. |
| 15 | **Thunderbolt raw ethernet** | 🟢 LOW | Custom EtherType 0x88B5 protocol. Requires root/BPF. macOS only. |

---

## 10. Recommendations

1. **IMMEDIATE:** Remove hardcoded API keys from `sx_config_embedded.c`. Use environment variables or secure key management.
2. **IMMEDIATE:** Enable SSL certificate verification on all token fetch/refresh paths. Remove all `SSL_VERIFYPEER=0` fallbacks.
3. **HIGH:** Migrate all `token.scorpiox.net` endpoints from `http://` to `https://`.
4. **HIGH:** Add TLS to the TCP fetchtoken protocol (`sx_tcp_fetch.c`), or migrate to HTTPS.
5. **HIGH:** Implement binary signature verification for auto-updates (e.g., Ed25519 signatures).
6. **MEDIUM:** Add input sanitization for session IDs passed to `system()` calls in telemetry.
7. **MEDIUM:** Enable FRP TLS with proper certificate validation.
8. **MEDIUM:** Document all network endpoints and their purpose for operators.
9. **LOW:** Consider making telemetry endpoints configurable (already partially done via `*_API_URL` configs).
10. **LOW:** Add network activity audit logging as a built-in feature.

---

*Report generated by Security Audit Agent — 2026-04-28*
