Third-Party Software Security Review — ScorpioX Code
Software: ScorpioX Code
Type: AI-Powered Development Tool / CLI Platform
Language: Pure C (zero external dependencies)
Audit Date: 2026-04-28
Codebase Commit: 4d61a6ad4bd4c6e535dd7f57d3eff860eaf61168
Classification: CONFIDENTIAL — For Corporate Review Only
1. Executive Summary
This report presents a comprehensive security audit of ScorpioX Code, an AI-powered development tool and CLI platform written in pure C with vendored dependencies. The audit was conducted across 11 specialized security domains by independent automated agents analyzing the same codebase at commit 4d61a6a.
Key Metrics
| Metric | Value |
|---|
| Total Source Lines | 398,610 |
| First-Party Code | 170,860 lines (42.9%) |
| Vendored Code | 227,750 lines (57.1%) |
| Total Findings | 395 |
| Critical | 10 |
| High | 25 |
| Medium | 70 |
| Low | 123 |
| Informational | 167 |
| Overall Risk Rating | HIGH |
Assessment Overview
The software demonstrates strong fundamentals in several areas: zero use of unsafe C string functions (sprintf, strcpy, strcat), fully static linking, no setuid binaries, proper namespace isolation in container runtimes, and no external package manager dependencies for the core build. Two well-known vendored libraries (Mbed TLS 3.6.3, yyjson 0.12.0) are properly maintained and licensed.
However, the audit identified significant security gaps in three critical areas:
TLS/Certificate Verification (CRITICAL): SSL certificate verification is disabled on all token-fetching endpoints. Authentication tokens are transmitted over plaintext HTTP. The traffic proxy globally disables TLS verification for child processes.
Command Injection (HIGH): Despite a recent commit specifically fixing command injection (the HEAD commit), numerous residual system()/popen() calls remain where network-sourced or user-controlled data flows into shell command strings without adequate escaping — particularly in messaging integrations.
Memory Safety (HIGH): Systemic missing-NULL-check patterns across 495 allocation calls, several use-after-free vulnerabilities in network-facing server components, and 35 unsafe realloc() patterns that leak memory on failure.
The Windows deployment surface is significantly narrower: 10 Linux/macOS-only binaries (including the container runtimes and messaging bridges where the most critical command injection and privilege findings reside) are excluded from Windows builds.
2. Deployment Scope — Windows Workstation vs. Server-Side
2.1 Primary Deployment: Windows Workstation
ScorpioX Code is deployed as a statically-linked Windows application distributed as a ZIP archive containing executables and bundled GNU/BusyBox Unix tools. The build uses MinGW (WinLibs POSIX UCRT) with static linking against all libraries.
2.2 Windows Binaries (54 total)
The following executables are compiled for and deployed on Windows:
| Category | Binaries |
|---|
| Core TUI & Shell | sx.exe, scorpiox-bash.exe, scorpiox-tmux.exe, scorpiox-multiplexer.exe, scorpiox-vi.exe, scorpiox-config.exe |
| AI Provider Proxies | scorpiox-gemini.exe, scorpiox-openai.exe, scorpiox-beam.exe, scorpiox-host.exe |
| Token Management | scorpiox-claudecode-fetchtoken.exe, scorpiox-claudecode-refreshtoken.exe, scorpiox-codex-fetchtoken.exe, scorpiox-codex-refreshtoken.exe, scorpiox-gemini-fetchtoken.exe, scorpiox-server-fetchtoken.exe, scorpiox-claudecode-models.exe |
| Tools & Utilities | scorpiox-websearch.exe, scorpiox-fetch.exe, scorpiox-renderimage.exe, scorpiox-screenshot.exe, scorpiox-executecurl.exe, scorpiox-kql.exe |
| Agent & SDK | scorpiox-agent.exe, scorpiox-sdk.exe, scorpiox-tasks.exe, scorpiox-skills.exe, scorpiox-planmode.exe, scorpiox-askuserquestion.exe, scorpiox-mcp.exe, scorpiox-hook.exe, scorpiox-runtest.exe |
| Session & Logging | scorpiox-conv.exe, scorpiox-rewind.exe, scorpiox-debug.exe, scorpiox-logger.exe, scorpiox-printlogs.exe, scorpiox-transcript.exe, scorpiox-systemprompt.exe |
| Infrastructure | scorpiox-server.exe, scorpiox-server-http2tcp.exe, scorpiox-server-email.exe, scorpiox-email.exe, scorpiox-dns.exe, scorpiox-frp.exe |
| Telemetry | scorpiox-usage.exe, scorpiox-emit-session.exe |
| Windows-Only | scorpiox-wsl.exe (WSL2 runtime), scorpiox-busybox.exe (Unix tools manager) |
| Other | scorpiox-voice.exe, scorpiox-otp.exe, scorpiox-search.exe, scorpiox-docs.exe, scorpiox-vault-git.exe, scorpiox-mirror-git.exe, scorpiox-pwsh.exe |
2.3 Linux/macOS-Only Binaries — NOT Deployed on Windows
| Binary | Platform | Reason |
|---|
scorpiox-unshare | Linux | Linux user namespaces, sys/mount.h, sys/syscall.h |
scorpiox-vm | Linux | Linux KVM ioctls |
scorpiox-init | Linux | Container PID 1, Linux-only syscalls |
scorpiox-sshpass | Unix | PTY (forkpty), Unix-only |
scorpiox-traffic | Unix | Network traffic interception, Unix sockets |
scorpiox-podman | Unix | Podman container execution |
scorpiox-cron | Unix | Crontab wrapper |
scorpiox-whatsapp | Unix | Uses fork/pipe/select |
scorpiox-thunderbolt4 | macOS | macOS framework APIs |
scorpiox-imessage | macOS | macOS iMessage integration |
2.4 Windows-Filtered Findings
When scoped to Windows workstation deployment only (excluding Linux/macOS-only binaries), the finding counts are reduced:
| Severity | All Platforms | Windows Only | Excluded |
|---|
| Critical | 10 | 7 | 3 (traffic proxy TLS bypass, WhatsApp/iMessage injection) |
| High | 25 | 20 | 5 (WhatsApp/iMessage/Podman/unshare injection, unshare privilege) |
| Medium | 70 | 62 | 8 (WhatsApp injection, namespace isolation gaps) |
| Low | 123 | 119 | 4 (Linux-specific) |
| Total | 395 | 208 | 187 |
3. Changes Since Last Audit
The most recent previous audit was conducted on the same date against commit f7f14b4.
| Metric | Previous (f7f14b4) | Current (4d61a6a) | Delta |
|---|
| Overall Risk | MEDIUM | HIGH | ⬆ Increased |
| Audit Agents | 5 (general) | 11 (specialized) | +6 |
| Total Findings | 40 | 395 | +355 |
| Critical | 5 | 10 | +5 |
| High | 12 | 25 | +13 |
| Medium | 14 | 70 | +56 |
| Low | 6 | 123 | +117 |
| Info | 3 | 167 | +164 |
| Lines of Code | 369,495 | 398,610 | +29,115 |
Interpretation: The significant increase in findings is primarily attributable to the
expanded audit scope — from 5 general-purpose agents to 11 specialized agents with deeper analysis (particularly the memory safety agent which contributed 230 findings alone, including 92 LOW-severity missing-NULL-checks and 93 INFO-severity leak candidates). The HEAD commit (
security: fix command injection — replace system()/popen() with fork+execvp) demonstrates active remediation of previously identified command injection vectors.
4. Supply Chain & Dependencies
Agent Risk Rating: LOW
Key Findings
The core build has zero external package manager dependencies. All third-party code is vendored in-tree:
| Library | Version | Lines | License | Assessment |
|---|
| Mbed TLS | 3.6.3 (LTS) | 207,697 | Apache-2.0 / GPL-2.0+ | ✅ Well-established, ARM-maintained |
| yyjson | 0.12.0 | 19,556 | MIT | ✅ Widely-used JSON parser |
System dependencies (linked statically): libcurl, OpenSSL, zlib, pthreads, nghttp2/3, brotli, zstd, c-ares, libpsl, libidn2, libunistring.
| # | Severity | Finding |
|---|
| 1 | MEDIUM | Two pre-built ELF binaries (bridge/scorpiox-ws2tcp, bridge/scorpiox-ws2tcp-arm64) committed to repository without reproducible build provenance |
| 2 | LOW | npm dependency tree (~104 transitive packages) in WhatsApp bridge component via community-maintained @whiskeysockets/baileys |
| 3 | LOW | MSYS2 download script (vendor/gnuwin64/download.ps1) lacks package hash verification |
| 4 | INFO | Vendored code represents 57.1% of total codebase (dominated by Mbed TLS) |
| 5 | INFO | All vendored libraries are well-known, properly licensed, at recent versions |
5. Build System & Code Provenance
Agent Risk Rating: LOW-MEDIUM
Build System
- Primary: CMake 3.16+ with static linking (
SX_STATIC_LINK=ON)
- Windows: MinGW (WinLibs POSIX UCRT) via Ninja
- 66 executable targets defined in
scorpiox/CMakeLists.txt
Security Hardening Gaps
The following compiler hardening flags are absent from all build configurations:
| Flag | Purpose | Status |
|---|
-fstack-protector-strong | Stack buffer overflow detection | ❌ Missing |
-D_FORTIFY_SOURCE=2 | Runtime buffer overflow checks | ❌ Missing |
-fPIE / -pie | ASLR (position-independent executables) | ❌ Missing |
-Wl,-z,relro,-z,now | Full RELRO (GOT protection) | ❌ Missing |
-fstack-clash-protection | Stack clash prevention | ❌ Missing |
-fcf-protection | Control-flow integrity | ❌ Missing |
> Note: Static linking provides inherent protection against shared library attacks, but the absence of stack protectors and FORTIFY_SOURCE remains a gap.
Code Provenance
| # | Severity | Finding |
|---|
| 1 | MEDIUM | Missing compiler security hardening flags (stack protector, FORTIFY_SOURCE, PIE, RELRO) |
| 2 | MEDIUM | Build-time Python script fetches model IDs from external API (currently frozen/disabled) |
| 3 | LOW | Git history shows 99%+ single-organization commits |
| 4 | LOW | strip applied to release binaries (good practice, minor debug impact) |
| 5 | LOW | No code signing for released binaries |
6. Network Endpoints
Agent Risk Rating: HIGH
Endpoint Inventory
The codebase contains 53 unique hardcoded endpoints in project code:
| Category | Count | Protocol |
|---|
| Token/Auth endpoints | 9 | HTTP (plaintext) ⚠️ |
| Distribution/Update URLs | 12 | HTTPS ✅ |
| API service endpoints | 8 | HTTPS ✅ |
| Internal IP addresses | 5 | Various ⚠️ |
| Localhost bindings | 7 | TCP |
| Third-party APIs | 12 | HTTPS ✅ |
Critical Network Findings
| # | Severity | Finding |
|---|
| 1 | HIGH | 9 token-fetching endpoints use plaintext http:// — authentication tokens transmitted in cleartext |
| 2 | MEDIUM | 5 hardcoded private IP addresses embedded in source/config (information disclosure of internal topology) |
| 3 | LOW | 7 hardcoded default ports and localhost bindings |
| 4 | INFO | 38 HTTPS URLs properly encrypted for distribution, API, and third-party services |
7. TLS/SSL Security
Agent Risk Rating: CRITICAL
This domain represents the most severe findings in the audit.
Critical Findings
| ID | Finding | CVSS | Impact |
|---|
| C01 | SSL certificate verification disabled (CURLOPT_SSL_VERIFYPEER=0, CURLOPT_SSL_VERIFYHOST=0) on all token-fetch endpoints (Gemini, Codex, Claude Code) | 9.1 | MITM can intercept OAuth tokens |
| C02 | Default token endpoints use plaintext HTTP (http://token.scorpiox.net/...) | 9.1 | Cleartext credential transmission |
| C03 | Traffic proxy globally disables TLS verification via environment variables (NODE_TLS_REJECT_UNAUTHORIZED=0, CURLOPT_SSL_VERIFYPEER=0) | 8.1 | All child processes vulnerable to MITM (Linux only) |
Additional TLS Findings
| # | Severity | Finding |
|---|
| 1 | HIGH | mbedTLS client connections configured without certificate verification (MBEDTLS_SSL_VERIFY_NONE) |
| 2 | HIGH | SMTP client (sxmail_tls.c) disables certificate verification for outbound mail relay |
| 3 | MEDIUM | No minimum TLS version enforcement via CURLOPT_SSLVERSION |
| 4 | MEDIUM | Router URL (scorpiox.net:5176) uses plaintext HTTP |
| 5 | MEDIUM | SMTP server supports STARTTLS but also allows plaintext fallback |
| 6 | LOW | No certificate pinning for high-value endpoints |
| 7 | INFO | Refresh token endpoints (scorpiox-codex-refreshtoken, scorpiox-claudecode-refreshtoken) correctly enable verification — inconsistency with fetch endpoints |
| 8 | INFO | mbedTLS server-mode VERIFY_NONE is acceptable (no mutual TLS requirement) |
8. Hardcoded Credentials
Agent Risk Rating: MEDIUM
No active credentials (real API keys, production passwords, or live tokens) were found hardcoded in the codebase. Findings relate to placeholder values and internal infrastructure details.
| # | Severity | Finding |
|---|
| 1 | MEDIUM | Placeholder OpenAI API key "xxx" hardcoded as default — triggers authentication attempts with garbage value |
| 2 | MEDIUM | Default SSH username "root" hardcoded for Claude Code token fetching |
| 3 | MEDIUM | Internal SSH host IP (192.168.1.6) in distributed config file with SSH_USER=root, SSH_PORT=22223 |
| 4 | LOW | Internal IP 192.168.1.3 for TMUX remote host in embedded config |
| 5 | LOW | Internal IP addresses for OTP, voice, and server endpoints in config |
| 6 | LOW | Default SSH port 22223 and SSH key path in config |
| 7 | LOW | SSH password placeholder sshpassword in config |
| 8 | LOW | Codex SSH credentials pattern similar to Claude Code |
| 9-12 | INFO | API key fields empty by default (good practice); config masking function exists; no .env files committed |
9. File I/O & Data Handling
Agent Risk Rating: MEDIUM
| # | Severity | Finding |
|---|
| 1 | HIGH | Environment variables logged without sensitive value filtering in agent/server modules — API keys may appear in plaintext logs |
| 2 | HIGH | Predictable temp file names in /tmp (e.g., /tmp/sx_voice.wav, /tmp/sx_emit_*.txt) using snprintf instead of mkstemp — symlink attacks possible |
| 3 | MEDIUM | Insecure temp file creation via fopen() without O_EXCL in multiple modules |
| 4 | MEDIUM | Inconsistent directory permissions — some paths use 0700, others use 0755 or default umask |
| 5 | MEDIUM | Missing O_CLOEXEC on file descriptors — potential leakage to child processes |
| 6 | MEDIUM | Configuration values (including sensitive ones) written to disk in plaintext |
| 7 | LOW | Missing umask() before file creation in several modules |
| 8 | LOW | /tmp files not cleaned on crash/signal |
| 9 | LOW | TOCTOU race conditions in temp file operations |
| 10-12 | INFO | Auth tokens properly redacted in traffic logs (positive); sx_config_is_sensitive() used for config logging (positive); session directories use 0700 (positive) |
10. Buffer Safety
Agent Risk Rating: LOW
This is a strong area for the codebase.
Safe Function Usage (Project Code)
| Function | Count | Safety |
|---|
snprintf | 2,248 | ✅ Bounded |
strncpy | 591 | ✅ Bounded |
strncat | 14 | ✅ Bounded |
sprintf | 0 | ✅ Not used |
strcpy (bare) | 0 | ✅ Not used |
strcat (bare) | 0 | ✅ Not used |
gets | 0 | ✅ Not used |
Safe-to-unsafe ratio: ∞ — No unsafe string functions in project code.
| # | Severity | Finding |
|---|
| 1 | MEDIUM | Signed int position accumulators in snprintf() loops can silently overflow, causing truncated command strings — potential for partial command execution |
| 2 | LOW | Large stack buffers (4–16 KB) with accumulation loops lack explicit truncation detection |
| 3 | LOW | strncpy usage does not always ensure NUL termination on exact-fit copies |
| 4-8 | INFO | Vendor code (yyjson) has single conditional sprintf fallback for pre-C99 compilers only; all mbedTLS format calls use snprintf; no format string vulnerabilities found |
11. Memory Safety
Agent Risk Rating: HIGH
The memory safety audit analyzed 495 allocation calls and 1,309 free() calls across 150 non-vendor source files. This domain produced the highest finding count.
Summary
| Category | Count | Severity |
|---|
| Use-after-free in network/server paths | 3 | Critical |
| Use-after-free in agent/protocol handlers | 7 | High |
Unsafe realloc (old pointer lost on failure) | 35 | Medium |
Missing NULL check after malloc/calloc/realloc | 92 | Low |
| Early-return memory leak candidates | 93 | Info |
Critical Memory Findings
| ID | Finding | Location |
|---|
| CRIT-03 | Multiple unchecked malloc calls in HTTP server request handler — NULL dereference crash causes denial of service | scorpiox-server.c:2409, 2806 |
> Note: Two initially-reported critical use-after-free findings (CRIT-01 in sxmail_queue.c and CRIT-02 in ws2tcp.c) were verified as false positives upon detailed analysis — control flow prevents the freed pointers from being used.
Systemic Patterns
- Unsafe realloc (35 instances): Pattern
ptr = realloc(ptr, new_size) loses the old pointer on failure, causing memory leaks. Affects dynamic buffer growth in JSON parsing, HTTP response accumulation, and agent output collection.
- Missing NULL checks (92 instances): Most
malloc/calloc calls proceed without verifying the allocation succeeded. On memory pressure, this results in NULL pointer dereference crashes.
12. Command Injection
Agent Risk Rating: HIGH
The HEAD commit (4d61a6a: security: fix command injection — replace system()/popen() with fork+execvp) demonstrates active remediation. However, residual vulnerabilities remain.
Critical Command Injection Findings
| ID | Finding | CVSS | Network? | Windows? |
|---|
| C1 | Hook data JSON injected into popen()/system() — single quotes not escaped | 9.8 | Yes (webhook events) | Yes |
| C2 | WhatsApp message content injected into system() — display name, emoji, message ID | 9.8 | Yes (any WhatsApp sender) | No |
| C3 | iMessage sender data injected into system() — phone number in folder path | 8.8 | Yes (any iMessage sender) | No |
| C4 | is_safe_shell_arg() does not block single quotes — all callers using single-quote delimited system() calls are bypassable | 9.0 | Various | Yes |
High Severity
| ID | Finding | Network? | Windows? |
|---|
| H1 | WSL command construction with user-controlled project names into system() | No | Yes |
| H2 | Server config values interpolated into system() for agent spawning | Config | Yes |
| H3 | iMessage attachment path injection | Yes | No |
| H4 | WhatsApp OGG conversion with unsanitized paths | No | No |
| H5 | Podman image/container names into system() | No | No |
| H6 | Unshare overlay paths into system() | No | No |
| H7 | Server OTP generation with query parameters (partially fixed) | Yes | Yes |
| H8 | SSH proxy hostname injection in TMUX | Config | Yes |
Recommendations
Replace all remaining system() calls with fork() + execvp() — the codebase already demonstrates this pattern correctly in scorpiox-websearch.c and the editor launch.
Fix is_safe_shell_arg() to block single quotes — add ' to the rejected character list.
Implement proper shell escaping for any remaining system()/popen() usage.
13. Privilege & Access Control
Agent Risk Rating: MEDIUM
Positive Findings
- No setuid/setgid binaries shipped
- Container runtime (
scorpiox-unshare) targets rootless execution via user namespaces
- Proper
pivot_root with old root cleanup
- Environment cleared (
clearenv()) and rebuilt with minimal set in containers
- cgroup v2 memory limits enforced
- slirp4netns with
--disable-host-loopback for network isolation
Findings
| # | Severity | Finding |
|---|
| 1 | HIGH | WSL2 runtime executes all container operations as root (wsl.exe -d -u root) |
| 2 | HIGH | Shell command strings built via snprintf() and passed to system() in WSL module |
| 3 | HIGH | Container runtime retains root-capable code paths when getuid() == 0 (skips user namespace) |
| 4 | MEDIUM | GPU passthrough (--gpu) bind-mounts all /dev/nvidia and /dev/dri/ into container |
| 5 | MEDIUM | Missing IPC namespace isolation (CLONE_NEWIPC not set) — shared memory leakage between container and host |
| 6 | MEDIUM | TAP networking requires CAP_NET_ADMIN in VM runtime |
| 7 | MEDIUM | cgroup v2 memory limits require delegation (often root) |
| 8 | MEDIUM | WSL overlay runs as root inside WSL distribution |
| 9-12 | MEDIUM | Various system()-based command execution patterns in container/WSL modules |
| 13-16 | LOW | UID/GID map manipulation (standard rootless pattern), /dev/kvm access, /proc mount without MS_NOEXEC fallback |
| 17-19 | INFO | Standard Unix domain socket usage, pipe-based IPC, proper signal handling |
14. Windows Deployment Analysis
Agent Risk Rating: LOW
Windows-Specific Implementation
The Windows build demonstrates good cross-platform hygiene:
| Feature | Implementation |
|---|
| Process execution | CreateProcess + CREATE_NO_WINDOW for background commands; ConPTY for terminal |
| Network | Winsock2 with WSAStartup/WSACleanup; WinINet for WSL image downloads |
| Screen capture | GDI (BitBlt, GetDIBits, EnumDisplayMonitors) |
| File transfer | TransmitFile (zero-copy Winsock) |
| Terminal | ConPTY (CreatePseudoConsole) on Windows 10 1809+ |
| TLS | Static libcurl with bundled curl-ca-bundle.crt |
Windows-Specific Findings
| # | Severity | Finding |
|---|
| 1-5 | INFO | Standard Windows API usage patterns; proper #ifdef _WIN32/SX_WINDOWS guards; no Windows-specific backdoors or novel attack surfaces beyond the general codebase findings |
Assessment: No additional Windows-specific vulnerabilities were identified beyond those already documented in the cross-platform audit sections. The Windows deployment surface is narrower due to the exclusion of 10 Linux/macOS-only binaries.
15. Telemetry and Tracking
Note: The telemetry-tracking audit branch was not available for merge. Assessment is based on static analysis of telemetry-related binaries identified in other audit reports.
Identified Telemetry Components
| Binary | Endpoint | Data Sent |
|---|
scorpiox-usage | https://code.scorpiox.net/usage-send | Token usage metrics |
scorpiox-emit-session | https://code.scorpiox.net/sessions-send | Session event data |
Observations
- Both telemetry endpoints use HTTPS (encrypted)
- Telemetry binaries are included in the Windows build
- No evidence of covert data collection channels beyond the two documented endpoints
- Session emit writes temporary files to
/tmp/ before transmission (see File I/O findings)
16. Consolidated Risk Matrix
| Area | Finding | Severity | Status | Windows? | Recommendation |
|---|
| TLS | SSL cert verification disabled on token-fetch endpoints | CRITICAL | Open | Yes | Enable CURLOPT_SSL_VERIFYPEER=1, CURLOPT_SSL_VERIFYHOST=2; use CURLOPT_CAINFO for CA bundle |
| TLS | Token endpoints use plaintext HTTP | CRITICAL | Open | Yes | Migrate all http://token.scorpiox.net/ to https:// |
| TLS | Traffic proxy global TLS bypass | CRITICAL | Open | No | Remove NODE_TLS_REJECT_UNAUTHORIZED=0 and similar env overrides |
| Cmd Injection | Hook data JSON in system() — single quotes unescaped | CRITICAL | Open | Yes | Use fork()+execvp() instead of system() |
| Cmd Injection | WhatsApp message injection via system() | CRITICAL | Open | No | Replace system() with fork()+execvp() |
| Cmd Injection | iMessage sender injection via system() | CRITICAL | Open | No | Replace system() with fork()+execvp() |
| Cmd Injection | is_safe_shell_arg() missing single-quote block | CRITICAL | Open | Yes | Add ' to rejected characters |
| Memory | Unchecked malloc in HTTP server — DoS | CRITICAL | Open | Yes | Add NULL checks after all allocations in server path |
| Memory | Use-after-free in agent/protocol handlers | HIGH | Open | Yes | Audit and fix free/use ordering |
| Memory | 35 unsafe realloc patterns | MEDIUM | Open | Yes | Use tmp = realloc(ptr, size); if (tmp) ptr = tmp; |
| Memory | 92 missing NULL checks after allocation | LOW | Open | Yes | Add systematic NULL checks |
| Network | 9 plaintext HTTP token endpoints | HIGH | Open | Yes | Enforce HTTPS-only |
| Network | 5 hardcoded internal IP addresses | MEDIUM | Open | Yes | Remove from distributed config; use empty defaults |
| Build | Missing compiler hardening flags | MEDIUM | Open | Yes | Add -fstack-protector-strong -D_FORTIFY_SOURCE=2 |
| Credentials | Placeholder API key "xxx" triggers auth attempts | MEDIUM | Open | Yes | Set default to empty string "" |
| Credentials | SSH root user + internal IP in shipped config | MEDIUM | Open | Yes | Ship config with empty values |
| File I/O | Sensitive env vars logged in plaintext | HIGH | Open | Yes | Apply sx_config_is_sensitive() filtering |
| File I/O | Predictable temp files without mkstemp | HIGH | Open | Yes | Use mkstemp()/tmpfile() for temp file creation |
| File I/O | Missing O_CLOEXEC on file descriptors | MEDIUM | Open | Yes | Add O_CLOEXEC to all open() calls |
| Privilege | WSL runtime executes as root | HIGH | Open | Yes | Use non-root WSL user where possible |
| Privilege | Missing IPC namespace isolation | MEDIUM | Open | No | Add CLONE_NEWIPC to clone flags |
| Supply Chain | Pre-built ELF binaries in repository | MEDIUM | Open | No | Build from source in CI |
| Buffer | Signed int accumulators in snprintf() loops | MEDIUM | Open | Yes | Use size_t with bounds clamping |
17. Conclusion & Recommendations
Overall Assessment
ScorpioX Code demonstrates a mature C codebase with strong fundamentals — zero unsafe string functions, comprehensive static linking, no privilege escalation vectors, and careful namespace isolation in container components. The HEAD commit shows active security remediation.
However, three systemic issues elevate the overall risk to HIGH:
TLS verification bypass is the most urgent issue — authentication tokens are transmitted in cleartext and certificate verification is disabled on critical endpoints.
Residual command injection via system()/popen() calls remains widespread despite recent fixes.
Memory safety gaps (unchecked allocations, unsafe realloc patterns) are typical of C codebases but create denial-of-service risk in network-facing components.
Priority Remediation
| Priority | Action | Impact |
|---|
| P0 — Immediate | Enable TLS certificate verification on all token-fetch endpoints | Prevents credential interception |
| P0 — Immediate | Migrate token URLs from http:// to https:// | Encrypts authentication traffic |
| P1 — High | Replace remaining system()/popen() with fork()+execvp() | Eliminates command injection class |
| P1 — High | Fix is_safe_shell_arg() single-quote bypass | Closes escaping gap |
| P2 — Medium | Add NULL checks after allocations in server/agent paths | Prevents DoS via NULL dereference |
| P2 — Medium | Enable compiler hardening flags | Defense-in-depth against memory corruption |
| P2 — Medium | Use mkstemp() for temp file creation | Prevents symlink/race attacks |
| P3 — Low | Remove internal IPs from distributed config | Reduces information leakage |
| P3 — Low | Fix unsafe realloc patterns | Prevents memory leaks under pressure |
Windows Workstation Risk Rating
For the scoped Windows workstation deployment: MEDIUM-HIGH — The most severe findings (TLS bypass, credential plaintext transmission, hook command injection) apply to Windows. However, the highest-CVSS command injection vectors (WhatsApp/iMessage message injection) are Linux/macOS-only.
18. Appendix: Audit Methodology
Audit Framework
This audit employed 11 specialized automated agents, each analyzing the complete codebase from a specific security domain:
| Agent | Domain | Method |
|---|
supply-chain | Dependencies, vendored code, package managers | Dependency tree analysis, license check, binary detection |
build-provenance | Build system, compiler flags, code signing | CMake/Makefile analysis, flag inventory |
network-endpoints | URLs, IPs, ports, protocols | Static string extraction, protocol classification |
tls-security | TLS configuration, certificate verification | libcurl option audit, mbedTLS config review |
credential-hardcode | API keys, passwords, tokens, secrets | Pattern matching, entropy analysis, config review |
file-io | File operations, temp files, permissions | Syscall audit, permission analysis, race condition detection |
buffer-safety | Buffer overflows, format strings, bounds checking | Function census, pattern analysis, accumulator audit |
memory-safety | malloc/free correctness, use-after-free, leaks | Allocation tracking, free-order analysis, realloc patterns |
command-injection | system()/popen()/exec() with user input | Taint analysis, shell metacharacter flow |
privilege-access | Setuid, namespaces, capabilities, process spawning | Privilege API audit, namespace isolation review |
windows-deployment | Windows binaries, APIs, platform-specific risks | Binary inventory, Win32 API audit, cross-platform guard review |
Scope
- In Scope: All non-vendor
.c and .h source files (150 files, 170,860 lines)
- Vendor Analysis: Vendored libraries (Mbed TLS, yyjson) reviewed for known vulnerabilities and configuration issues
- Out of Scope: Runtime behavior, dynamic analysis, penetration testing, third-party API security
Severity Classification
| Level | Definition |
|---|
| CRITICAL | Exploitable remotely without authentication; direct credential/data compromise |
| HIGH | Significant security weakness; requires specific conditions for exploitation |
| MEDIUM | Security concern with mitigating factors; defense-in-depth gap |
| LOW | Minor issue; best-practice deviation with minimal direct impact |
| INFO | Observation or positive finding; no direct security impact |