FINDING — HIGH RISK: All credentials stored as plaintext in config files. No encryption, no OS keychain integration, no vault support.
4.3 Credential Redaction
✅ GOOD:sx_config_is_sensitive() correctly identifies sensitive keys by checking for substrings: KEY, PASS, SECRET, TOKEN, CREDENTIAL (case-insensitive).
✅ GOOD: Config snapshot in session files redacts sensitive values to **.
✅ GOOD: Startup logging masks keys containing "KEY" as *.
⚠️ GAP: Logging only masks keys matching strstr(keys[k], "KEY") — this misses _PASS and _SECRET keys in the startup log (though snapshot_write_entry uses the comprehensive sx_config_is_sensitive()).
4.4 Runtime Credential Handling
Mechanism
Implementation
Risk
JWT validation
HMAC-SHA256 with constant-time compare
✅ Secure
JWT secret
Loaded from SERVER_JWT_SECRET config
Plaintext in config
API keys → HTTP headers
Passed as Authorization/x-api-key headers
✅ Normal pattern
FRP token
PBKDF2-derived AES key
✅ Good KDF usage
SSH passwords (scorpiox-sshpass)
Passed via -p CLI argument
CRITICAL — visible in ps output
TOTP secrets (scorpiox-otp)
Passed via -s CLI argument
HIGH — visible in ps output
SMTP auth (email server)
SHA-256 hashed passwords in accounts file
⚠️ No salt, no KDF
Authorization header
Passed through to CGI scripts via HTTP_AUTHORIZATION env var
⚠️ Exposed to child processes
4.5 Token Proxy Security
scorpiox-server-fetchtoken:
API key comparison uses strcmp() — ⚠️ Not constant-time (timing side-channel possible)
RISK — file transfer over raw TCP with only xxHash64 integrity
5.2 Crypto Primitives Used
Algorithm
Location
Purpose
Assessment
AES-128-CFB
sx_frp.c
FRP control stream encryption
✅ Appropriate for stream cipher
PBKDF2-SHA1
sx_frp.c
FRP key derivation
⚠️ Only 64 iterations — very low; SHA-1 is deprecated for new designs
SHA-256
scorpiox-server.c
JWT HMAC-SHA256 signature
✅ Industry standard
SHA-256
sxmail_auth.c
Password hashing
⚠️ No salt, no KDF — vulnerable to rainbow tables
SHA-1
scorpiox-otp.c
HMAC-SHA1 for TOTP (RFC 6238)
✅ Required by TOTP spec
MD5
sx_frp.c
FRP login hash
⚠️ MD5 is cryptographically broken
RSA
sxmail_dkim.c
DKIM signing
✅ Via mbedTLS
TLS 1.2
sxmail_tls.c, sx_frp.c
Transport security
✅ mbedTLS implementation
5.3 Encryption at Rest
FINDING — HIGH RISK: No encryption at rest is used anywhere in the codebase. All persistent data (conversations, sessions, config files, email maildir, WhatsApp credentials) is stored in plaintext on the filesystem.
5.4 mbedTLS Configuration
sx_mbedtls_config.h enables:
AES-128-CFB (cipher mode)
PBKDF2 (via PKCS5)
TLS 1.2 (client + server)
RSA, X.509 certificates
SHA-1, SHA-256, SHA-384, SHA-512
CTR-DRBG entropy
Note: TLS 1.3 is NOT enabled. Only TLS 1.2 is configured.
No other temporary file creation patterns found outside of vendor code
7. Logging Analysis
7.1 Log Architecture
File logging: Session logs to .scorpiox/sessions//session.log
Stderr logging: Fallback when file logging fails
Log levels: ERROR, WARN, INFO, DEBUG, TRACE (configurable via LOG_LEVEL)
Timestamps: Millisecond precision [HH:MM:SS.mmm]
7.2 Sensitive Data in Logs
Log Entry
Risk
Mitigation
Config values at startup
Keys with "KEY" substring masked as
⚠️ Incomplete — _PASS, _SECRET not masked in startup log
SMTP auth success/failure
Logs username only
✅ Password not logged
JWT validation failure
Logs "signature verification failed"
✅ No secret/token logged
FRP token
Not logged
✅ Good
API request/response bodies
Written to traffic/ dir (separate from logs)
⚠️ Contains full API payloads
DKIM key path
Logged at INFO level
✅ Path only, not key content
fetchtoken API key
Logged as
✅ Good
7.3 Trace System
The trace system (sx_trace.c) writes detailed data flow checkpoints to .scorpiox/traces/.jsonl and/or .scorpiox/sessions//trace.jsonl:
API_REQUEST — full request being sent
API_RESPONSE — full response received
TOOL_USE_ADD — tool call details
CONV_SAVE / CONV_LOAD — conversation state
FINDING — HIGH RISK: Trace data may contain API keys in HTTP headers and full conversation content. Trace files have no special access controls.
7.4 Log File Locations
Log
Path
Created By
Session log
.scorpiox/sessions//session.log
sx main
Agent log
.scorpiox/sessions//agent.log
sx main
Fallback log
.scorpiox/logs/sx-session.log
sx main
Email server log
~/.scorpiox/server-email.log
scorpiox-server-email
Trace
.scorpiox/sessions//trace.jsonl
sx_trace.c
8. Environment Variable Usage
8.1 Environment Variables Read
Variable
Read By
Sensitivity
HOME / USERPROFILE
Multiple
Low — path discovery
SHELL
sxmux_pane.c
Low — default shell
EDITOR / VISUAL
sx.c
Low — editor selection
ENABLE_TERM_BACKGROUND
sx_term.c
Low — UI config
SXMUX_INIT_CMD
sxmux_pane.c
Low — pane init command
8.2 Environment Variables Set (for child processes)
Variable
Set By
Contains
Risk
HTTP_AUTHORIZATION
scorpiox-server.c
Auth header value
HIGH — full Authorization header passed to CGI scripts
POST_BODY_FILE
scorpiox-server.c
Temp file path
Low — path only
Various CGI vars
scorpiox-server.c
Query params, headers
Medium — depends on content
8.3 Config System vs Environment
The codebase uses its own sx_config_get() system rather than raw getenv() for most configuration. The config cascade (defaults → file → file) avoids polluting the process environment with secrets. This is a good pattern.
Exception:scorpiox-sshpass passes password via write() to PTY (not env var), which is better than SSHPASS env var but the password is still visible in /proc//cmdline via the -p argument.
9. Data Retention
9.1 Session Retention
Configurable via SESSION_RETENTION_DAYS config key
sx_session_cleanup_old() purges sessions older than the retention period
Default: not set (sessions persist indefinitely)
Cleanup triggers: at session creation time
9.2 Conversation Retention
No automatic cleanup mechanism found for .scorpiox/conversations/ files
Conversations persist indefinitely
9.3 Email Retention
Maildir-based storage with no automatic expiration found in audited code
Queue messages persist until relay delivery
9.4 Trace/Log Retention
No automatic cleanup for trace files or log files independent of session cleanup
If session is deleted, associated logs/traces are removed
10. Risk Assessment
Critical Risks
ID
Finding
Location
Impact
C-1
SSH passwords visible in process listing
scorpiox-sshpass-p flag
Password exposure to any user who can run ps
C-2
Email password hashing uses unsalted SHA-256
sxmail_auth.c
Rainbow table attacks on stolen accounts file
C-3
No encryption at rest for any persistent data
All components
Data breach exposure if filesystem is compromised
High Risks
ID
Finding
Location
Impact
H-1
All credentials stored as plaintext in config files
scorpiox-env.txt
Credential theft via file access
H-2
TOTP secrets visible in process listing
scorpiox-otp-s flag
TOTP secret exposure
H-3
Session traffic dir contains full API payloads
.scorpiox/sessions//traffic/
API keys in headers, conversation content
H-4
Trace files contain unredacted API data
.scorpiox/sessions//trace.jsonl
Same as H-3
H-5
FRP PBKDF2 uses only 64 iterations
sx_frp.c
Brute-force key derivation feasible
H-6
FRP login uses MD5 hash
sx_frp.c
MD5 is cryptographically broken
H-7
Predictable temp file names (no mkstemp)
scorpiox-server.c
Symlink / TOCTOU attacks on /tmp/sx_post_*
Medium Risks
ID
Finding
Location
Impact
M-1
Hardcoded internal IP 192.168.1.12 in defaults
sx_config.c
Network topology leak
M-2
fetchtoken API key comparison not constant-time
scorpiox-server-fetchtoken.c
Timing side-channel
M-3
Startup log masks only "KEY"-containing config names
sx.c
_PASS, _SECRET values logged in cleartext
M-4
TLS 1.2 only (no TLS 1.3)
sx_mbedtls_config.h
Missing modern TLS features
M-5
scorpiox-beam file transfer has no encryption
scorpiox-beam.c
Data in transit is unprotected
M-6
Conversations dir not in .gitignore auto-management
sx_conversation.c
Accidental commit of conversation data
M-7
Authorization header passed to CGI via env var
scorpiox-server.c
Credential leakage to untrusted scripts
M-8
No conversation retention/cleanup mechanism
sx_conversation.c
Data hoarding risk
Positive Findings
ID
Finding
Location
P-1
Config snapshot correctly redacts sensitive keys via sx_config_is_sensitive()
sx_session.c, sx_config.c
P-2
Session data auto-added to .gitignore
sx_session.c
P-3
JWT uses constant-time signature comparison
scorpiox-server.c
P-4
Socket directory created with 0700 permissions
sxmux_session.c
P-5
POST body temp files cleaned up after use
scorpiox-server.c
P-6
No hardcoded real API keys or passwords in source
sx_config.c
P-7
Config system avoids env var pollution (uses own cascade)
sx_config.c
P-8
FRP uses proper AES-128-CFB with random IV
sx_frp.c
P-9
TLS implementation via well-maintained mbedTLS library
sxmail_tls.c
11. Recommendations
Replace unsalted SHA-256 password hashing with Argon2id or bcrypt (C-2)
Use mkstemp() for temp files instead of predictable name construction (H-7)
Increase PBKDF2 iterations from 64 to at least 100,000 (H-5)
Add encryption at rest for session/conversation data or at minimum restrict file permissions to 0600 (C-3)
Use environment variable or stdin for scorpiox-sshpass password instead of CLI -p (C-1)
Add constant-time comparison for fetchtoken API key validation (M-2)
Extend startup log masking to cover _PASS and _SECRET patterns (M-3)
Enable TLS 1.3 in mbedTLS configuration (M-4)
Add encryption to scorpiox-beam file transfers (M-5)
Add conversation cleanup mechanism similar to session retention (M-8)
Remove hardcoded internal IP from config defaults (M-1)
Consider redacting Authorization headers in traffic/trace files (H-3, H-4)