📄 security-audit-report.md
⬇ Download Raw

Third-Party Software Security Review — ScorpioX Code

Software: ScorpioX Code Type: AI-Powered Development Tool / CLI Platform Language: Pure C (zero external dependencies) Audit Date: 2026-04-28 Codebase Commit: 28b0b1b7dc2738c86102c359b61e395b54b4ee19 Classification: CONFIDENTIAL — For Corporate Review Only

1. Executive Summary

This report consolidates findings from 13 specialized security audit agents that performed a comprehensive review of the ScorpioX Code codebase at commit 28b0b1b. The software is an AI-powered development CLI platform written entirely in C (approximately 402,541 lines of code: 151,596 project code, 228,526 vendored libraries), targeting Windows, Linux, and macOS.

Overall Risk Rating: MEDIUM

The codebase demonstrates strong foundational security practices — zero external package manager dependencies at build time, fully static linking on Linux, 99.6% safe buffer function usage (2,227 snprintf vs 1 sprintf), no setuid/setgid usage, no executable memory regions, and all telemetry disabled by default. However, meaningful risks exist in TLS security (plaintext token fetch endpoints, silent STARTTLS fallback), memory safety (57+ unchecked malloc sites), distribution integrity (no code signing, graceful SHA256 degradation), and hardcoded credentials in documentation/automation files.

Findings Summary

SeverityCountWindows-Scoped
Critical77
High2020
Medium8980
Low5552
Info10397
Total274159 (excl. info)
Key Strengths Identified: Key Risks Identified:

2. Deployment Scope — Windows Workstation

Primary Deployment Target: Windows Workstation

This audit's risk assessment is primarily scoped to Windows workstation deployment. The software produces 56 Windows-compatible executables and 1 optional shared library. Server-side components (container runtime, KVM VM runner) are Linux-only and are not part of the Windows deployment footprint.

Windows Binaries (56 executables + 1 DLL)

Core CLI & TUI: sx.exe, scorpiox-bash.exe, scorpiox-vi.exe, scorpiox-config.exe, scorpiox-tmux.exe, scorpiox-multiplexer.exe AI Provider Proxies & Token Management: scorpiox-gemini.exe, scorpiox-openai.exe, scorpiox-claudecode-fetchtoken.exe, scorpiox-claudecode-models.exe, scorpiox-claudecode-refreshtoken.exe, scorpiox-codex-fetchtoken.exe, scorpiox-codex-refreshtoken.exe, scorpiox-gemini-fetchtoken.exe, scorpiox-server-fetchtoken.exe Utilities: scorpiox-agent.exe, scorpiox-askuserquestion.exe, scorpiox-beam.exe, scorpiox-busybox.exe, scorpiox-conv.exe, scorpiox-debug.exe, scorpiox-dns.exe, scorpiox-docs.exe, scorpiox-email.exe, scorpiox-emit-session.exe, scorpiox-executecurl.exe, scorpiox-fetch.exe, scorpiox-frp.exe, scorpiox-hook.exe, scorpiox-host.exe, scorpiox-kql.exe, scorpiox-logger.exe, scorpiox-mcp.exe, scorpiox-mirror-git.exe, scorpiox-otp.exe, scorpiox-planmode.exe, scorpiox-printlogs.exe, scorpiox-pwsh.exe, scorpiox-renderimage.exe, scorpiox-rewind.exe, scorpiox-runtest.exe, scorpiox-screenshot.exe, scorpiox-sdk.exe, scorpiox-search.exe, scorpiox-server.exe, scorpiox-server-email.exe, scorpiox-server-http2tcp.exe, scorpiox-skills.exe, scorpiox-systemprompt.exe, scorpiox-tasks.exe, scorpiox-transcript.exe, scorpiox-usage.exe, scorpiox-vault-git.exe, scorpiox-voice.exe, scorpiox-websearch.exe, scorpiox-wsl.exe Windows-Only: scorpiox-wsl.exe (WSL2 integration), scorpiox-busybox.exe (GNU tool manager) Optional Shared Library: libsx.dll (opt-in build via SX_BUILD_DLL)

Linux/macOS-Only Binaries (NOT deployed on Windows)

BinaryPlatformPurpose
scorpiox-unshareLinux onlyRootless container runtime (user namespaces)
scorpiox-initLinux onlyContainer PID 1 init
scorpiox-vmLinux onlyKVM virtual machine runner
scorpiox-sshpassUnix onlySSH PTY password wrapper
scorpiox-trafficUnix onlyNetwork traffic tool
scorpiox-podmanUnix onlyPodman container wrapper
scorpiox-cronNot WindowsCrontab wrapper
scorpiox-whatsappNot WindowsWhatsApp CLI bridge
scorpiox-thunderbolt4macOS onlyThunderbolt 4 file transfer
scorpiox-imessagemacOS onlyiMessage CLI

Windows-Filtered Findings

When scoped to Windows workstation deployment only (excluding findings that exclusively affect Linux/macOS-only binaries):

SeverityAll PlatformsWindows Only
Critical77
High2020
Medium8980
Low5552
Actionable Total171159

3. Changes Since Last Audit

Previous Audit: output/2026-04-28_2b6f3d3 (commit 2b6f3d3) Previous Total Findings: 240
SeverityPreviousCurrentDelta
Critical177↓ 10
High2820↓ 8
Medium6889↑ 21
Low5355↑ 2
Info74103↑ 29
Total240274↑ 34
Analysis: Critical and high-severity findings decreased significantly (−10 and −8 respectively), indicating remediation of the most serious issues. The increase in medium/low/info findings reflects improved audit coverage — this audit uses 13 specialized agents (up from 13 in the previous round) with deeper per-domain analysis, particularly in memory safety (47 medium findings for unchecked allocations that were previously rolled up into fewer findings). The overall risk posture has improved from HIGH to MEDIUM despite the higher total count, because the count increase is driven by finer-grained enumeration of lower-severity issues rather than new vulnerabilities.

4. Supply Chain & Dependencies

Agent: supply-chain | Risk: LOW | Findings: 0C / 0H / 1M / 3L / 3I

Architecture

The project is a C-based application suite with minimal external dependencies. The supply chain attack surface is small:

- yyjson v0.12.0 — MIT license, ~19,556 LOC, fast JSON parser. No known CVEs.

- mbedTLS v3.6.6 — Apache-2.0/GPL-2.0+ dual license, ~208,584 LOC, TLS/crypto. Recent LTS release with custom minimal config (sx_mbedtls_config.h).

Notable Findings

IDSeverityFinding
SC-M1MediumTwo pre-built ELF binaries committed to repo (bridge/scorpiox-ws2tcp, bridge/scorpiox-ws2tcp-arm64) — not reproducible from source
SC-L1LowmbedTLS 3.6.6 is large (~208K LOC) vendored codebase — manual update required
SC-L2Lownpm dependency @whiskeysockets/baileys is a release candidate (rc.9)
SC-L3Lowgnuwin64 download script fetches MSYS2 packages at build time

5. Build System & Code Provenance

Agent: build-provenance | Risk: LOW | Findings: 0C / 0H / 2M / 2L / 6I

Build Configuration

PropertyValue
Build SystemCMake ≥ 3.16
Language StandardC11 (GNU extensions disabled)
Default BuildRelease, fully static linked
Cross-compilationARM64/aarch64 support
PlatformsLinux, macOS, Windows (MinGW)

Compiler Security Flags

FlagStatus
-Wall -Wextra✅ Enabled
-fstack-protector-strong✅ Enabled
-D_FORTIFY_SOURCE=2✅ Enabled (Release)
-fcf-protection✅ Enabled (GCC)
-Wl,-z,relro / -Wl,-z,now⚠️ Missing
-fPIE / -pie⚠️ Missing

Code Provenance

Notable Findings

IDSeverityFinding
BP-M1MediumRELRO and PIE linker hardening flags absent (limited impact for static builds)
BP-M2MediumBridge Makefile missing stack protector and FORTIFY_SOURCE
BP-L1Lowyyjson compiled with -w (all warnings suppressed)
BP-L2LowPython code generation at build time (generate_*.py scripts)

6. Network Endpoints

Agent: network-endpoints | Risk: MEDIUM | Findings: 3C / 5H / 12M / 18L / 57I

Overview

95 unique hardcoded network endpoints identified across 5 categories: external API URLs, internal infrastructure domains, hardcoded IP addresses, hardcoded ports, and exposed credentials.

Critical Findings

IDFindingRisk
NE-C1Hardcoded plaintext passwords in documentation (xboxone for SSH/sudo on lab machines)Credentials in git history
NE-C2NAS/dist server SMB password in automation file (Dd1122110909)Distribution infrastructure compromise
NE-C3Credentials in build/skill automation files (sshpass commands)Persistent exposure in repo

High Findings

IDFindingRisk
NE-H1Hardcoded public IP 20.53.240.54 as default TCP_HOST compiled into binaryInfrastructure pinning in all binaries
NE-H2HTTP (non-TLS) token fetch endpoints (http://token.scorpiox.net/codex, /gemini)Plaintext token transmission
NE-H3JWT issuer/audience hardcoded in serverTight coupling to auth infrastructure

Recommendations

  • Remove all plaintext credentials from repository and rotate them immediately
  • Change token endpoints to HTTPS
  • Use DNS hostnames instead of hardcoded IP addresses
  • Make JWT issuer/audience configurable

  • 7. TLS/SSL Security

    Agent: tls-security | Risk: HIGH | Findings: 2C / 4H / 4M / 2L / 5I

    This is the highest-risk audit domain. Multiple TLS weaknesses exist in transport security.

    Critical Findings

    IDFindingImpact
    TLS-C1Token fetch endpoints default to plaintext HTTPAPI tokens interceptable via MITM
    TLS-C2TCP token fetch protocol has zero TLS supportAPI keys and OAuth credentials sent in cleartext over TCP

    High Findings

    IDFindingImpact
    TLS-H1SMTP relay falls back to plaintext silently when STARTTLS unsupportedSTARTTLS stripping vulnerability; AUTH credentials exposed
    TLS-H2Direct MX delivery (port 25) has no STARTTLS supportEmail content transmitted in plaintext
    TLS-H3FRP TLS client missing SNI hostname verification (mbedtls_ssl_set_hostname() never called)Any valid CA-signed certificate accepted regardless of hostname
    TLS-H4MITM proxy tool globally disables TLS verification for child processesDesign-intentional but dangerous if misused

    Medium Findings

    IDFinding
    TLS-M1WebSocket client (sx_websocket.c) relies on libcurl defaults for TLS — no explicit minimum version
    TLS-M2mbedTLS config enables TLS 1.2 only (no TLS 1.3) — acceptable but aging
    TLS-M3No certificate pinning for any API endpoints
    TLS-M4SMTP TLS implementation does not verify server certificate hostname

    Recommendations

  • Immediate: Change all token fetch default URLs to https://
  • Immediate: Add TLS to TCP token fetch or restrict to loopback
  • High Priority: Make STARTTLS mandatory for relay connections
  • High Priority: Add mbedtls_ssl_set_hostname() call in FRP client
  • Implement opportunistic STARTTLS for direct MX delivery

  • 8. Hardcoded Credentials

    Agent: credential-hardcode | Risk: LOW | Findings: 0C / 0H / 3M / 2L / 2I

    No real API keys or bearer tokens are embedded in compiled source code. Findings relate to placeholder values and public OAuth client IDs.

    IDSeverityFinding
    HC-M1MediumPlaceholder API key "xxx" hardcoded as default for OPENAI_API_KEY — may be sent in requests
    HC-M2MediumHardcoded Anthropic OAuth client ID (public, but not configurable)
    HC-M3MediumHardcoded OpenAI/Codex OAuth client ID (public, but not configurable)
    HC-L1LowHardcoded Azure IP 20.53.240.54 for TCP token fetch default
    HC-L2LowEmpty credential field placeholders in embedded config

    Recommendations

  • Set OPENAI_API_KEY default to empty string ""
  • Make OAuth client IDs configurable with current values as defaults

  • 9. File I/O & Data Handling

    Agent: file-io | Risk: MEDIUM | Findings: 0C / 1H / 5M / 5L / 0I

    Positive Practices

    Notable Findings

    IDSeverityFinding
    FIO-H1HighPredictable temp file names in HTTP server (POST body): PID + timestamp, symlink race
    FIO-M1MediumPredictable temp file in editor (sx-edit-.txt)
    FIO-M2MediumPredictable temp file in container image listing
    FIO-M3MediumDNS stats/PID files in /tmp without restrictive permissions
    FIO-M4MediumConfig files with API keys written without explicit 0600 permissions
    FIO-M5MediumLog files may contain sensitive headers before redaction

    Recommendations

  • Replace all PID/timestamp-based temp files with mkstemp() pattern
  • Explicitly set 0600 permissions on config files containing API keys
  • Use O_CREAT|O_EXCL for PID files

  • 10. Buffer Safety

    Agent: buffer-safety | Risk: LOW | Findings: 0C / 2H / 2M / 3L / 2I

    Safe vs Unsafe Function Ratio

    CategoryCount
    snprintf2,227
    strncpy594
    fgets108
    vsnprintf36
    strncat20
    strcat (unsafe)11
    sprintf (unsafe)1 (vendor only)
    strcpy / gets / vsprintf0
    Safe:Unsafe ratio99.6% safe

    Notable Findings

    IDSeverityFinding
    BUF-H1Highstrcat/strncat size_t underflow in Windows command builder loops (scorpiox-search.c, scorpiox-renderimage.c) — stack overflow when buffer nearly full
    BUF-H2HighWindows scorpiox-bash.c command builder uses strcat in loop without bounds checking
    BUF-M1MediumMissing overflow clamping in 2 pos += snprintf() patterns
    BUF-M2MediumVendor sprintf fallback in mbedTLS (vendored code)

    Recommendations

  • Replace strcat-based Windows command builders with snprintf-based pattern with post-call clamping
  • Add clamping to remaining pos += snprintf() patterns

  • 11. Memory Safety

    Agent: memory-safety | Risk: MEDIUM | Findings: 1C / 2H / 47M / 3L / 2I

    The most finding-dense audit domain, primarily driven by a systemic pattern of unchecked malloc/calloc return values.

    Critical Finding

    IDFinding
    MEM-C1Potential double-free in sx_term.c line 781 — free(g_term.cap_buf) without NULL guard in error path

    High Findings

    IDFinding
    MEM-H1Unsafe realloc pattern loses original pointer on failure (memory leak + NULL deref)
    MEM-H2Memory leak in sx_term.c — allocated buffer not freed in early-return path

    Medium Findings (47)

    57+ allocation sites across the codebase where malloc/calloc/realloc return values are used without NULL checks. Key areas:

    CategoryAffected FilesCount
    Terminal/UIsx_term.c, sxmux_vt.c~10 sites
    Network/Providersx_provider.c, sx_http.c~15 sites
    Application/CLIsx.c, scorpiox-.c~20 sites
    Utilitiessx_agent.c, sx_bridge.c~12 sites

    Recommendations

  • Add a project-wide sx_malloc()/sx_calloc() wrapper that checks for NULL and logs/aborts on failure
  • Fix the double-free in sx_term.c with NULL guard
  • Fix the unsafe realloc pattern to preserve the original pointer
  • Address the memory leak in the early-return path

  • 12. Command Injection

    Agent: command-injection | Risk: MEDIUM | Findings: 0C / 1H / 3M / 3L / 2I

    Overview

    ~50+ system() calls, ~30+ popen() calls, ~40+ exec*() calls across 20+ source files. Many Unix paths have been migrated from system() to safe fork()+execvp(). Critical network-reachable paths are well-protected.

    High Finding

    IDFindingPlatform
    CJ-H1Windows cmd /C CGI environment variable injection — SX_SANITIZE_CMD does not filter %, !, backticks, or ;Windows (network-reachable)

    Medium Findings

    IDFindingPlatform
    CJ-M1Shell injection via single-quote in osascript commandmacOS only
    CJ-M2osascript voice command injection via unsanitized user textmacOS only
    CJ-M3system() call in OTP generator with partially-sanitized inputCross-platform

    Recommendations

  • Immediate: Add %, !, ` `, ;, (, ), newlines to SX_SANITIZE_CMD filter; better yet, use CreateProcess() on Windows instead of cmd /C
  • Use execvp() with argument arrays instead of system() for remaining shell-based calls
  • Properly escape single quotes in osascript commands (macOS)

  • 13. Privilege & Access Control

    Agent: privilege-access | Risk: MEDIUM | Findings: 0C / 1H / 4M / 3L / 7I

    Positive Security Posture

    High Finding

    IDFinding
    PA-H1Container runtime uses unprivileged ioctl(LOOP_CTL_GET_FREE) — may fail without loopback device access, causing fallback to less-isolated paths

    Medium Findings

    IDFinding
    PA-M1Root detection in container runtime skips user namespace isolation when running as root
    PA-M2HTTP server binds to 0.0.0.0 by default — exposes script execution to network
    PA-M3DNS server on port 53 requires elevated privileges on most systems
    PA-M4Several system() calls remain in non-critical utility paths

    Recommendations

  • Default HTTP server to 127.0.0.1 binding
  • Document privilege requirements for DNS server
  • Continue migration from system() to execvp() for remaining call sites

  • 14. Windows Deployment Analysis

    Agent: windows-deployment | Risk: LOW | Findings: 0C / 0H / 2M / 6L / 8I

    Windows Build Characteristics

    Medium Findings

    IDFinding
    WD-M1scorpiox-server listens on all interfaces by default (0.0.0.0:8080) — Windows Firewall should prompt but permissive configs expose Python script execution to LAN
    WD-M2scorpiox-dns binds to port 53 — requires admin privileges on Windows, may conflict with DNS Client service

    Low Findings

    IDFinding
    WD-L1Config stored in %USERPROFILE%\.scorpiox\ with API keys in plaintext scorpiox-env.txt
    WD-L2scorpiox-bash creates temporary .bat files (cleaned up after execution)
    WD-L3scorpiox-server-fetchtoken listens on port 9800 for TCP connections
    WD-L4scorpiox-server-email runs SMTP/IMAP server (blocked by firewall by default)
    WD-L5scorpiox-beam uses raw TCP for file transfer without encryption
    WD-L6scorpiox-bash uses CreateProcess with named pipes — injection mitigated by temp .bat approach

    15. Telemetry and Tracking

    Agent: telemetry-tracking | Risk: LOW | Findings: 0C / 0H / 0M / 2L / 5I

    Verdict: No Tracking by Default

    Both telemetry features (USAGE_TRACKING and EMIT_SESSION_TRACKING) are disabled by default across all configuration sources — compiled-in defaults, embedded WASM config, and the shipped environment file. No network telemetry calls are made unless the user explicitly opts in.

    Data Collection Inventory

    When
    USAGE_TRACKING=1 (opt-in): Collects session ID, provider, model, token counts, rate limit info, hostname, username, OS, architecture, project name, git branch, version. Does NOT collect: IP address, MAC address, device UUID, file contents, conversation text. When EMIT_SESSION_TRACKING=1 (opt-in): Collects full conversation text (user prompts, AI responses, tool output), session metadata, timestamps. This is the most privacy-sensitive feature but is disabled by default and clearly labeled.

    Low Findings

    IDFinding
    TT-L1USAGE_TRACKING collects hostname and username — PII when enabled
    TT-L2EMIT_SESSION_TRACKING transmits full conversation content — significant privacy impact when enabled

    Recommendations

  • Add a privacy notice when users enable EMIT_SESSION_TRACKING
  • Consider hashing hostname/username before transmission in usage tracking
  • Document data retention policies for collected telemetry

  • 16. Install Script & Distribution Security

    Agent: install-script | Risk: HIGH | Findings: 1C / 4H / 4M / 3L / 4I

    Critical Finding

    IDFinding
    IS-C1NAS/distribution server credentials (SMB username + password) hardcoded in repository — anyone with repo access can push arbitrary binaries

    High Findings

    IDFinding
    IS-H1SHA256 verification skipped when .sha256 sidecar unavailable (graceful degradation weakens integrity)
    IS-H2Container install path has zero integrity verification (downloads and extracts without hash checks)
    IS-H3No code signing on any distributed binaries (no GPG, cosign, Authenticode, or Apple notarization)
    IS-H4WhatsApp bridge release lacks SHA256 sidecar generation

    Medium Findings

    IDFinding
    IS-M1curl -k (TLS verification disabled) used in documented install commands
    IS-M2macOS codesign uses ad-hoc signature (--sign -), not a verified identity
    IS-M3Self-update uses file-size comparison as primary change detection
    IS-M4Non-atomic install in container paths (partial state on interruption)

    Recommendations

  • Immediate: Rotate NAS/distribution server credentials and remove from repository
  • High Priority: Implement Authenticode signing for Windows binaries
  • High Priority: Make SHA256 verification mandatory (fail-closed instead of graceful degradation)
  • Add integrity verification to container install paths
  • Remove curl -k from all documentation

  • 17. Consolidated Risk Matrix

    #AreaFindingSeverityStatusRecommendation
    1TLSToken fetch endpoints default to HTTPCriticalOpenChange default URLs to HTTPS
    2TLSTCP token fetch has zero TLSCriticalOpenAdd TLS or restrict to loopback
    3NetworkPlaintext passwords in documentationCriticalOpenRemove from repo, rotate credentials
    4NetworkNAS/dist server SMB password in repoCriticalOpenRotate credentials, remove from repo
    5NetworkCredentials in automation filesCriticalOpenUse SSH keys or vault integration
    6InstallDistribution server credentials in repoCriticalOpenRotate and remove (same as #4)
    7MemoryDouble-free in terminal error pathCriticalOpenAdd NULL guard before free
    8TLSSMTP relay falls back to plaintext silentlyHighOpenMake STARTTLS mandatory
    9TLSMX delivery has no STARTTLSHighOpenImplement opportunistic STARTTLS
    10TLSFRP client missing hostname verificationHighOpenAdd mbedtls_ssl_set_hostname()
    11TLSMITM proxy disables TLS verificationHighOpenDocument risk, add warnings
    12File I/OPredictable temp files in HTTP serverHighOpenUse mkstemp() pattern
    13BufferWindows command builder stack overflowHighOpenReplace with snprintf-based builder
    14BufferWindows bash command builder overflowHighOpenReplace with snprintf-based builder
    15MemoryUnsafe realloc loses original pointerHighOpenPreserve pointer before realloc
    16MemoryMemory leak in terminal early-returnHighOpenFree buffer in error path
    17InstallSHA256 verification graceful degradationHighOpenMake verification mandatory
    18InstallContainer install bypasses hash verificationHighOpenAdd integrity checks
    19InstallNo code signing on any binariesHighOpenImplement Authenticode/GPG signing
    20InstallWhatsApp bridge release lacks SHA256HighOpenGenerate sidecar hashes
    21Cmd InjWindows CGI SX_SANITIZE_CMD incompleteHighOpenAdd %!;() to filter or use CreateProcess
    22PrivilegeContainer ioctl fallback pathHighOpenHandle gracefully
    23NetworkHardcoded public IP in compiled defaultHighOpenUse DNS hostname
    24NetworkJWT issuer/audience hardcodedHighOpenMake configurable
    25Memory57+ unchecked malloc/calloc sitesMediumOpenAdd project-wide allocation wrapper
    26BuildRELRO/PIE linker flags missingMediumOpenAdd to linker flags
    27BuildBridge Makefile missing hardening flagsMediumOpenAdd stack protector, FORTIFY_SOURCE
    28CredentialPlaceholder "xxx" for OPENAI_API_KEYMediumOpenSet default to empty string
    29File I/OPredictable editor temp fileMediumOpenUse mkstemp()
    30File I/OConfig files written without 0600MediumOpenSet explicit permissions
    31Cmd InjOTP generator with system()MediumOpenUse execvp()
    32PrivilegeHTTP server binds 0.0.0.0 by defaultMediumOpenDefault to 127.0.0.1
    33WindowsDNS server port 53 requires adminMediumOpenDocument requirements
    34Installcurl -k in documented commandsMediumOpenRemove insecure flag
    35InstallAd-hoc macOS codesignMediumOpenUse verified identity
    36TelemetryHostname/username collected in usageLowOpenHash before transmission
    37TelemetryFull conversation in session trackingLowOpenAdd privacy notice
    38Supply ChainPre-built ELF binaries in repoMediumOpenBuild from source in CI

    18. Conclusion & Recommendations

    Overall Assessment

    ScorpioX Code demonstrates strong foundational security engineering for a C codebase of this scale. The zero-dependency architecture, comprehensive use of bounded string functions (99.6%), absence of privilege escalation code, and opt-in-only telemetry represent mature security practices. The static linking strategy on Linux eliminates an entire class of shared library attacks.

    Priority Remediation Roadmap

    Immediate (Critical — address before deployment):
  • Rotate all hardcoded credentials and remove from repository history
  • Change token fetch endpoints to HTTPS
  • Add TLS to TCP token fetch protocol or restrict to loopback
  • Fix double-free in sx_term.c
  • Short-Term (High — address within 30 days):
  • Make STARTTLS mandatory for SMTP relay
  • Add hostname verification to FRP TLS client
  • Replace all predictable temp file names with mkstemp()
  • Fix Windows command builder buffer overflows
  • Implement code signing for distributed binaries (Authenticode for Windows)
  • Make SHA256 verification mandatory (fail-closed)
  • Medium-Term (Medium — address within 90 days):
  • Add project-wide sx_malloc() wrapper with NULL checking
  • Add RELRO/PIE linker flags
  • Continue system() to execvp() migration
  • Enhance SX_SANITIZE_CMD filter for Windows
  • Default HTTP server to localhost binding
  • Long-Term (Low — address as resources allow):
  • Implement certificate pinning for critical API endpoints
  • Add TLS 1.3 support to mbedTLS configuration
  • Evaluate reproducible build infrastructure
  • Hash PII fields in telemetry before transmission
  • Windows Workstation Deployment Recommendation

    APPROVED WITH CONDITIONS — The software is suitable for Windows workstation deployment provided:
  • All Critical findings are addressed (credential rotation, HTTPS endpoints)
  • Windows Firewall rules are configured to block unexpected listening ports
  • Users are informed that scorpiox-server and scorpiox-dns` bind to network interfaces
  • Configuration directory permissions are verified on NTFS

  • 19. Appendix: Audit Methodology

    Audit Framework

    This security review was conducted using 13 specialized automated audit agents, each focused on a specific security domain:

    #AgentScope
    01supply-chainPackage managers, vendored libs, pre-built binaries
    02build-provenanceCompiler flags, build system, code provenance
    03network-endpointsHardcoded URLs, IPs, ports, credentials in source
    04tls-securityCertificate verification, protocol versions, cipher suites
    05credential-hardcodeAPI keys, passwords, tokens in compiled code
    06file-ioTemp files, permissions, path traversal, data at rest
    07buffer-safetyBuffer overflows, format strings, integer overflows
    08memory-safetyNULL checks, use-after-free, double-free, leaks
    09command-injectionsystem(), popen(), exec*() with unsanitized input
    10privilege-accesssetuid, capabilities, namespace isolation, process spawning
    11windows-deploymentWindows-specific binaries, APIs, risks
    12telemetry-trackingData collection, opt-in/opt-out, privacy
    13install-scriptDistribution, integrity verification, code signing

    Scope

    Severity Definitions

    SeverityDefinition
    CriticalExploitable vulnerability with high impact; immediate remediation required
    HighSignificant security weakness; remediation within 30 days
    MediumSecurity concern requiring attention; remediation within 90 days
    LowMinor issue or hardening opportunity; address as resources allow
    InfoInformational observation; no action required