Third-Party Software Security Review — ScorpioX Code
Software: ScorpioX Code
Type: AI-Powered Development Tool / CLI Platform
Language: Pure C (zero external dependencies)
Audit Date: 2026-04-28
Codebase Commit: 9bfa5b461aa008cd7a1713d37c9aa6c44cecc4ce
Classification: CONFIDENTIAL — For Corporate Review Only
1. Executive Summary
This report presents a comprehensive security audit of ScorpioX Code, an AI-powered development tool and CLI platform written in pure C. The audit was performed by 13 specialized automated agents, each analyzing a distinct security domain across 378,558 total lines of code (151,487 project code, 226,685 vendor code).
Overall Risk Rating: HIGH
The software demonstrates exceptional discipline in several areas — notably zero uses of unsafe string functions (strcpy, strcat, gets, scanf), a safe-to-unsafe function ratio exceeding 2,800:1, all telemetry disabled by default, and comprehensive use of bounded buffer operations. However, significant risks persist in TLS certificate verification (systematically disabled across token fetchers and email), command injection vectors in network-reachable code paths, a complete absence of cryptographic integrity verification for binary distribution, and sensitive data exposure through log files.
Aggregate Findings
| Severity | Count |
|---|
| Critical | 13 |
| High | 33 |
| Medium | 120 |
| Low | 28 |
| Informational | 355 |
| Total | 549 |
Windows-Filtered Findings (excluding Linux/macOS-only): 11 Critical, 28 High, 118 Medium, 28 Low —
185 actionable findings.
Key Strengths
- Zero external package manager dependencies (core build)
- All third-party code vendored in-tree with known versions
- Fully static linking eliminates runtime dependency attacks
- No tracking or telemetry by default — all opt-in
- Exceptional buffer safety: 2,213
snprintf calls, 0 strcpy/strcat/sprintf in project code
- Strong Windows deployment posture (LOW risk per Windows-specific audit)
Critical Concerns
No cryptographic verification of distributed binaries (no checksums, signatures, or code signing)
SSL certificate verification disabled in token fetchers and email module (MITM risk)
Command injection vectors in network-reachable server code (Windows CGI path)
Sensitive data logged to disk including API keys in HTTP headers and VTRACE config dumps
Outdated vendored mbedTLS (3.6.3 vs 3.6.6) with 11 unpatched security advisories
2. Deployment Scope — Windows Workstation
Primary Deployment: Windows Workstation
The following binaries are compiled and deployed on Windows:
| Category | Binaries |
|---|
| Core CLI | sx.exe, scorpiox-config.exe, scorpiox-bash.exe, scorpiox-vi.exe |
| Shell & Tools | scorpiox-busybox.exe, scorpiox-pwsh.exe, scorpiox-wsl.exe |
| AI/API | scorpiox-agent.exe, scorpiox-openai.exe, scorpiox-gemini.exe |
| Networking | scorpiox-fetch.exe, scorpiox-websearch.exe, scorpiox-dns.exe |
| Media | scorpiox-screenshot.exe, scorpiox-renderimage.exe, scorpiox-voice.exe |
| Auth/Token | scorpiox-claudecode-fetchtoken.exe, scorpiox-codex-fetchtoken.exe, scorpiox-gemini-fetchtoken.exe |
| Server | scorpiox-server.exe, scorpiox-server-email.exe, scorpiox-server-http2tcp.exe |
| Utilities | scorpiox-conv.exe, scorpiox-debug.exe, scorpiox-email.exe, scorpiox-frp.exe, scorpiox-hook.exe, scorpiox-host.exe, scorpiox-kql.exe, scorpiox-logger.exe, scorpiox-mcp.exe, scorpiox-mirror-git.exe, scorpiox-multiplexer.exe, scorpiox-otp.exe, scorpiox-planmode.exe, scorpiox-printlogs.exe, scorpiox-rewind.exe, scorpiox-runtest.exe, scorpiox-sdk.exe, scorpiox-search.exe, scorpiox-skills.exe, scorpiox-systemprompt.exe, scorpiox-tasks.exe, scorpiox-tmux.exe, scorpiox-transcript.exe, scorpiox-usage.exe, scorpiox-vault-git.exe, scorpiox-emit-session.exe, scorpiox-executecurl.exe, scorpiox-askuserquestion.exe, scorpiox-beam.exe, scorpiox-docs.exe, scorpiox-server-fetchtoken.exe |
| Library | libsx.dll |
Total Windows binaries: ~58 executables + 1 DLL
Linux-Only Binaries (Not Deployed on Windows)
| Binary | Purpose |
|---|
scorpiox-unshare | Rootless container runtime (Linux namespaces) |
scorpiox-vm | QEMU/KVM hypervisor manager |
scorpiox-init | Container init process |
scorpiox-sshpass | PTY-based SSH password feeder |
scorpiox-traffic | Network traffic proxy |
scorpiox-podman | Podman container integration |
scorpiox-cron | Cron job scheduler |
scorpiox-whatsapp | WhatsApp bridge manager |
macOS-Only Binaries
| Binary | Purpose |
|---|
scorpiox-imessage | iMessage AppleScript bridge |
Windows-Filtered Risk Summary
After excluding Linux-only and macOS-only findings:
| Severity | All Platforms | Windows-Relevant | Excluded |
|---|
| Critical | 13 | 11 | 2 (unshare privileged, curl\ | bash Linux install) |
| High | 33 | 28 | 5 (unshare, sshpass, imessage, podman) |
| Medium | 120 | 118 | 2 (unshare namespace, auto-subuid) |
| Low | 28 | 28 | 0 |
| Actionable Total | 194 | 185 | 9 |
3. Changes Since Last Audit
Previous Audit: output/2026-04-28_4d61a6a (commit
4d61a6a)
Previous Agents: 11 (supply-chain through windows-deployment)
Current Agents: 13 (added telemetry-tracking, install-script)
Severity Comparison
| Severity | Previous | Current | Delta | Notes |
|---|
| Critical | 10 | 13 | +3 | Install script audit added 4 new CRITICAL findings |
| High | 25 | 33 | +8 | Install script (4), expanded memory-safety analysis |
| Medium | 70 | 120 | +50 | Memory-safety error-path leaks (82) now enumerated individually |
| Low | 123 | 28 | −95 | Reclassification: many prior LOW findings moved to INFO |
| Info | 167 | 355 | +188 | Memory-safety dangling pointers (291) now tracked as INFO |
| Total | 395 | 549 | +154 | Expanded audit scope (2 new agents) + deeper analysis |
Key Changes
New: Telemetry & Tracking Audit — Confirmed all telemetry disabled by default (LOW risk)
New: Install Script Audit — Uncovered 4 CRITICAL findings in binary distribution pipeline
Memory Safety — Deeper analysis now tracks 291 INFO-level dangling pointer risks and 82 MEDIUM error-path memory leaks
Codebase Size — Reduced from 398,610 to 378,558 total lines (cleanup of duplicate/plan files)
4. Supply Chain & Dependencies
Agent Risk Rating: MEDIUM
Key Findings
| # | Severity | Finding |
|---|
| 1 | MEDIUM | Vendored mbedTLS 3.6.3 is 3 patch releases behind LTS 3.6.6 — 11 security advisories unpatched |
| 2 | MEDIUM | Two pre-built ELF binaries committed to repository (bridge/scorpiox-ws2tcp, ARM64 variant) |
| 3 | LOW | npm release candidate dependency (@whiskeysockets/baileys@7.0.0-rc.9) |
| 4 | LOW | ~105 transitive npm dependencies in bridge component |
| 5 | INFO | All system dependencies (libcurl, OpenSSL, zlib) are standard OS-packaged libraries |
| 6 | INFO | yyjson 0.12.0 is current — no known CVEs |
| 7 | INFO | gnuwin64 vendor contains only download scripts, no committed binaries |
| 8 | INFO | Lock file (bun.lock) committed with integrity hashes |
Recommendations
- Update mbedTLS to 3.6.6 — addresses buffer overflow, TLS 1.3 client impersonation, ECDSA stack overflow
- Remove pre-built binaries from source tree; build from source in CI
- Pin npm dependency to stable release
5. Build System & Code Provenance
Agent Risk Rating: LOW
Key Findings
| # | Severity | Finding |
|---|
| 1 | MEDIUM | Missing linker hardening flags (RELRO, noexecstack) — mitigated by static linking default |
| 2 | MEDIUM | Bridge Makefile lacks -fstack-protector-strong and -D_FORTIFY_SOURCE=2 |
| 3 | LOW | Model header code generator (tests/code_generator_models.py) fetches from network at build time |
| 4 | LOW | Suppressed GCC warnings (-Wno-format-truncation, -Wno-stringop-truncation) |
| 5 | LOW | No reproducible build mechanism (no build provenance attestation) |
| 6 | INFO | C11 standard, CMake 3.16+, pure C project |
| 7 | INFO | Static linking default (SX_STATIC_LINK=ON) reduces runtime attack surface |
| 8 | INFO | fstack-protector-strong enabled on all builds |
| 9 | INFO | _FORTIFY_SOURCE=2 enabled for release builds |
| 10 | INFO | fcf-protection enabled for GCC builds |
Hardening Flags Summary
| Flag | Status |
|---|
-Wall -Wextra | ✅ Enabled |
-fstack-protector-strong | ✅ Enabled |
-D_FORTIFY_SOURCE=2 | ✅ Release builds |
-fcf-protection | ✅ GCC builds |
-Wl,-z,relro -Wl,-z,now | ❌ Missing (mitigated by static linking) |
-fPIE -pie | ❌ N/A for static builds |
-fstack-clash-protection | ❌ Missing |
6. Network Endpoints
Agent Risk Rating: HIGH
Key Findings
| # | Severity | Finding |
|---|
| 1 | CRITICAL | Hardcoded private network IP (192.168.1.12:8045) with default credential path for Anthropic proxy |
| 2 | CRITICAL | Hardcoded public IP (20.53.240.54) as default TCP relay host |
| 3 | HIGH | Plaintext HTTP endpoints for authentication token retrieval (token.scorpiox.net) |
| 4 | HIGH | PAT (Personal Access Token) injected into HTTPS clone URLs |
| 5 | HIGH | HTTP metadata endpoints (169.254.169.254) for cloud token retrieval |
| 6 | HIGH | FRP tunnel configuration with hardcoded server endpoint |
| 7 | HIGH | SSH connection strings with credential interpolation |
| 8 | MEDIUM | 10+ hardcoded dist.scorpiox.net URLs for binary distribution |
| 9 | MEDIUM | Hardcoded DNS resolvers (1.1.1.1, 8.8.8.8) |
| 10 | MEDIUM | OAuth2 token exchange URLs for Google, Microsoft identity providers |
Network Inventory Summary
- 49 unique hardcoded URLs across source code
- 15+ unique hardcoded IP addresses
- 12 hardcoded ports
- 9+ unique domain names
Recommendations
- Migrate all
http:// token endpoints to https://
- Remove hardcoded private IPs from compiled defaults
- Use DNS hostnames instead of IP addresses for infrastructure references
- Implement configurable endpoint registry
7. TLS/SSL Security
Agent Risk Rating: HIGH
Key Findings
| # | Severity | Finding | CWE |
|---|
| 1 | CRITICAL | SSL verification disabled in 3 token fetchers (CURLOPT_SSL_VERIFYPEER=0) | CWE-295 |
| 2 | CRITICAL | SSL verification disabled for SMTP/TLS email sending | CWE-295 |
| 3 | HIGH | Authentication tokens fetched over plaintext HTTP | CWE-319 |
| 4 | HIGH | Traffic proxy disables all upstream certificate validation | CWE-295 |
| 5 | HIGH | FRP tunnel client uses mbedTLS with MBEDTLS_SSL_VERIFY_NONE | CWE-295 |
| 6 | HIGH | OAuth token exchange over unverified connections | CWE-295 |
| 7 | HIGH | Vendored mbedTLS 3.6.3 has known TLS 1.3 impersonation vulnerability | CWE-295 |
| 8 | MEDIUM | No certificate pinning for any first-party services | CWE-295 |
| 9 | MEDIUM | Mixed use of system CA store and disabled verification across modules | — |
| 10 | LOW | TMUX_PODMAN_TLS_VERIFY defaults to false | CWE-295 |
TLS Verification Status by Module
| Module | Verification | Status |
|---|
scorpiox-gemini-fetchtoken | Disabled | ❌ CRITICAL |
scorpiox-codex-fetchtoken | Disabled | ❌ CRITICAL |
scorpiox-claudecode-fetchtoken | Disabled | ❌ CRITICAL |
scorpiox-email | Disabled | ❌ CRITICAL |
scorpiox-traffic | Disabled (by design — proxy) | ⚠️ HIGH |
scorpiox-frp | Disabled (mbedTLS) | ⚠️ HIGH |
scorpiox-codex-refreshtoken | Enabled | ✅ |
scorpiox-claudecode-refreshtoken | Enabled | ✅ |
sx (main AI client) | System CA store | ✅ |
Recommendations
- Enable certificate verification in ALL token fetchers (set
CURLOPT_SSL_VERIFYPEER=1L, CURLOPT_SSL_VERIFYHOST=2L)
- Add runtime flag for development self-signed cert bypass instead of unconditional disable
- Migrate all HTTP token endpoints to HTTPS
- Update mbedTLS to 3.6.6
8. Hardcoded Credentials
Agent Risk Rating: LOW
Key Findings
| # | Severity | Finding |
|---|
| 1 | MEDIUM | Placeholder API key "xxx" compiled as default for OPENAI_API_KEY |
| 2 | LOW | SSH credential placeholder fields (_PASS) in compiled defaults |
| 3 | LOW | Hardcoded infrastructure IPs (192.168.1.12, 20.53.240.54) in defaults |
| 4 | INFO | 20+ API key fields correctly initialized to empty strings |
| 5 | INFO | sx_config_is_sensitive() function properly redacts known secret fields |
Positive Patterns
- Configuration cascade design: environment variables → config files → compiled defaults
- Sensitive field redaction function exists and covers all credential keys
- No real API keys, passwords, or tokens found in source code
Recommendations
- Replace
"xxx" placeholder with empty string "" for OPENAI_API_KEY
- Remove
_PASS fields from compiled defaults entirely
- Move infrastructure IPs to runtime-only configuration
9. File I/O & Data Handling
Agent Risk Rating: HIGH
Key Findings
| # | Severity | Finding | CWE |
|---|
| 1 | CRITICAL | API request/response bodies logged to disk including API keys in HTTP headers | CWE-532 |
| 2 | CRITICAL | Config VTRACE logs ALL key-value pairs including secrets (bypasses redaction) | CWE-532 |
| 3 | HIGH | Predictable temp file names enable symlink attacks (TOCTOU) | CWE-377 |
| 4 | HIGH | Hardcoded log paths with world-readable default permissions (0644) | CWE-732 |
| 5 | HIGH | Session conversation files readable by all local users | CWE-732 |
| 6 | MEDIUM | No file locking on concurrent config reads/writes | CWE-362 |
| 7 | MEDIUM | Downloaded files stored without integrity verification | CWE-354 |
| 8 | MEDIUM | Email body written to temp file before sending (plaintext) | CWE-312 |
| 9 | MEDIUM | WSL overlay filesystem operations use predictable paths | CWE-377 |
| 10 | MEDIUM | Container image extraction without path traversal checks (tar) | CWE-22 |
Positive Patterns
mkstemp() used in 11 locations (inconsistent application)
realpath() used for path traversal validation in some modules
- Config redaction function exists for log output
Recommendations
- Redact
x-api-key and Authorization headers before logging
- Apply
sx_config_is_sensitive() to VTRACE logging
- Set all log and session file permissions to 0600
- Replace ALL predictable temp file patterns with
mkstemp()/mkdtemp()
10. Buffer Safety
Agent Risk Rating: LOW
Key Findings
| # | Severity | Finding |
|---|
| 1 | MEDIUM | 5 locations where unclamped snprintf return value passed to send_all() (potential OOB read on truncation) |
| 2 | MEDIUM | 4 locations where HTTP response headers constructed without clamping snprintf return |
| 3 | MEDIUM | url_encode() theoretical integer overflow on 32-bit: len * 3 + 1 |
| 4 | MEDIUM | sxmail_dkim.c:414 — 32KB stack buffer for DKIM signing |
| 5 | MEDIUM | scorpiox-tmux.c:2323 — 16KB stack buffer for command assembly |
| 6 | LOW | Single sprintf in vendored yyjson (conditional fallback path) |
| 7 | LOW | strncpy used in 593 locations — proper sizeof()-1 pattern but no NUL guarantee on exact-fit |
Exceptional Metrics
| Metric | Value |
|---|
sprintf calls (project code) | 0 |
strcpy calls | 0 |
strcat calls | 0 |
gets calls | 0 |
scanf calls | 0 |
snprintf calls | 2,213 |
strncpy calls | 593 |
| Safe-to-unsafe ratio | >2,800:1 |
| Stack buffers ≥ 4KB | 214 (all bounded with sizeof()) |
11. Memory Safety
Agent Risk Rating: HIGH
Key Findings
| # | Severity | Count | Finding |
|---|
| 1 | HIGH | 5 | Missing NULL checks after calloc() in sx.c (AgentThread allocation) |
| 2 | HIGH | 1 | realloc() result assigned directly to source pointer in sx_mcp.c (memory leak on failure) |
| 3 | MEDIUM | 82 | Memory leaks on error paths — allocations not freed before early return |
| 4 | INFO | 291 | Freed pointers not set to NULL (dangling pointer risk) |
Analysis Summary
| Category | Count | Severity |
|---|
Missing malloc/calloc NULL check | 5 | HIGH |
| Realloc overwrite pattern | 1 | HIGH |
| Memory leak on error path | 82 | MEDIUM |
| Free without NULL assignment | 291 | INFO |
Recommendations
- Add NULL checks after all 5
calloc() calls in sx.c
- Use temporary variable for
realloc() in sx_mcp.c
- Prioritize error-path leak fixes in network-facing modules
- Consider adopting a
FREE_AND_NULL() macro project-wide
12. Command Injection
Agent Risk Rating: CRITICAL
Key Findings
| # | Severity | Finding | CVSS |
|---|
| 1 | CRITICAL | scorpiox-docs.c — URL injected into system() without sanitization | 7.8 (local) |
| 2 | CRITICAL | scorpiox-server.c — Windows CGI QUERY_STRING/PATH_INFO not sanitized in _popen() | 9.8 (network) |
| 3 | HIGH | scorpiox-imessage.c — AppleScript injection via incomplete escaping (macOS-only) | 8.6 |
| 4 | HIGH | scorpiox-wsl.c — Environment variable injection into chroot shell command | 7.8 |
| 5 | HIGH | scorpiox-sdk.c — SDK repo path injected into shell commands | 7.8 |
| 6 | HIGH | scorpiox-unshare.c — Container hostname/command injection (Linux-only) | 7.8 |
| 7 | MEDIUM | scorpiox-multiplexer.c — Session name used in system() | 6.5 |
| 8 | MEDIUM | scorpiox-tmux.c — Project path interpolated into shell commands | 6.5 |
| 9 | MEDIUM | scorpiox-host.c — Hostname injected into shell strings | 6.5 |
| 10 | MEDIUM | scorpiox-kql.c — KQL query passed to system() | 6.5 |
System Call Inventory
| Function | Count (project code) |
|---|
system() | 77+ |
popen() | 30+ |
exec*() | 40+ |
Windows-Critical: C2 (CVSS 9.8)
The scorpiox-server.c Windows CGI path uses _popen() with unsanitized QUERY_STRING and PATH_INFO from HTTP requests. An attacker can break out of the set "..." command on Windows to execute arbitrary commands remotely. This is the highest-severity finding in the entire audit.
Recommendations
- Immediate: Sanitize
QUERY_STRING and PATH_INFO in scorpiox-server.c using SX_SANITIZE_CMD (already applied to other variables in the same function)
- Replace
system() with fork()+execvp() (or CreateProcessW on Windows) wherever possible
- Implement and enforce
is_safe_shell_arg() validation for all user-supplied shell arguments
13. Privilege & Access Control
Agent Risk Rating: MEDIUM
Key Findings
| # | Severity | Finding |
|---|
| 1 | CRITICAL | scorpiox-unshare --privileged runs container with full root capabilities (Linux-only) |
| 2 | HIGH | scorpiox-wsl uses chroot with shell-interpolated environment variables (Windows) |
| 3 | HIGH | scorpiox-sshpass disables SSH host key verification by default (Linux-only) |
| 4 | HIGH | scorpiox-unshare auto-creates /etc/subuid and /etc/subgid when root (Linux-only) |
| 5 | HIGH | Multiple server components bind to 0.0.0.0 by default (all interfaces) |
| 6 | HIGH | DNS server (scorpiox-dns) listens on privileged port 53 |
| 7 | HIGH | newuidmap/newgidmap setuid helper reliance (Linux-only) |
| 8 | MEDIUM | No rate limiting or authentication on local server endpoints |
| 9 | MEDIUM | Container hostname written to /etc/hostname inside namespace |
| 10 | MEDIUM | JWT validation uses hardcoded issuer/audience URLs |
| 11 | MEDIUM | Server email component stores SMTP credentials in config |
| 12 | MEDIUM | setgroups allowed when full UID range available |
Windows-Relevant Privilege Findings
After excluding Linux-only findings (unshare, sshpass, podman, cron):
- 0 Critical (the unshare
--privileged finding is Linux-only)
- 3 High (WSL chroot, server bind 0.0.0.0, DNS port 53)
- 3 Medium (no rate limiting, JWT hardcoded, SMTP creds)
Positive Patterns
- Main
sx binary runs entirely as unprivileged user
- No
setuid/setgid calls in any Windows binary
- No capability manipulation on Windows
- Process monitoring subsystem tracks child process lifecycle
14. Windows Deployment Analysis
Agent Risk Rating: LOW
Key Findings
| # | Severity | Finding |
|---|
| 1 | INFO | MinGW static linking with vendored mbedTLS and yyjson |
| 2 | INFO | scorpiox-wsl uses _spawnvp() instead of system() — safe pattern |
| 3 | INFO | Self-update uses atomic NTFS rename chain |
| 4 | INFO | scorpiox-busybox is offline-only with minimal attack surface |
| 5 | INFO | No Windows-specific privilege escalation (no service installation, no registry modification) |
| 6 | INFO | Windows Defender / SmartScreen may flag unsigned executables |
| 7 | INFO | CreateProcessA() used safely for process spawning |
| 8 | INFO | WinInet API used for HTTPS downloads (inherits system TLS settings) |
Windows-Specific Security Posture
| Property | Status |
|---|
| Code signing | ❌ Not implemented |
| Windows service installation | ❌ Not applicable (CLI tool) |
| Registry modification | ❌ None |
| UAC elevation | ❌ Not required |
| Windows Firewall rules | ❌ Not modified |
system() on Windows | Limited — _spawnvp() preferred |
| DLL search order hijacking | Low risk — static linking minimizes DLLs |
Assessment
The Windows deployment profile is clean. The software operates as an unprivileged CLI application with no system-level modifications. The primary risk on Windows is the unsigned binary distribution (may trigger SmartScreen warnings) and the CGI command injection in scorpiox-server.c (covered in Section 12).
15. Telemetry and Tracking
Agent Risk Rating: LOW
Key Findings
| # | Severity | Finding |
|---|
| 1 | LOW | Documentation bug: help text states USAGE_TRACKING defaults to 1 but compiled default is "0" |
| 2 | INFO | All telemetry disabled by default (USAGE_TRACKING=0, EMIT_SESSION_TRACKING=0) |
| 3 | INFO | No mandatory data collection — zero data sent unless user explicitly enables |
| 4 | INFO | Usage tracking collects hostname, username, project name when enabled |
| 5 | INFO | Session telemetry sends full conversation content when enabled (documented) |
| 6 | INFO | No third-party analytics, advertising SDKs, or fingerprinting |
| 7 | INFO | Update check only in scorpiox-wsl helper, not main sx binary |
| 8 | INFO | WhatsApp bridge auto-download only triggers when feature explicitly used |
Telemetry Configuration Defaults
| Feature | Default | User Control |
|---|
| Usage tracking | Disabled (0) | USAGE_TRACKING config key |
| Session telemetry | Disabled (0) | EMIT_SESSION_TRACKING config key |
| Auto-update check | Disabled (empty URL) | UPDATE_URL config key |
| Bridge auto-download | On-demand | Only when WhatsApp feature used |
Assessment
Excellent privacy posture. No tracking by default, no mandatory data collection, full user control over all telemetry features. The session telemetry feature (which sends conversation content) is appropriately documented as sensitive and disabled by default.
16. Install Script & Distribution Security
Agent Risk Rating: CRITICAL
Key Findings
| # | Severity | Finding |
|---|
| 1 | CRITICAL | No cryptographic integrity verification of any downloaded binary (no checksums, GPG, code signing) |
| 2 | CRITICAL | curl -k disables TLS verification during binary downloads in tmux and podman modules |
| 3 | CRITICAL | Hardcoded NAS/SMB credentials for distribution server in plaintext across 15+ files |
| 4 | CRITICAL | curl\ | bash install pattern executes remote code without any verification |
| 5 | HIGH | Self-update uses file-size comparison only (no hash or signature) |
| 6 | HIGH | Bridge binary auto-download has no integrity verification |
| 7 | HIGH | No reproducible build process or build provenance attestation |
| 8 | HIGH | Distribution server backed by SMB share with shared credentials |
| 9 | MEDIUM | Container image downloads have no integrity checks |
| 10 | MEDIUM | Install path ~/.scorpiox not protected by restrictive permissions |
| 11 | MEDIUM | Same-size binary replacement not detected by update mechanism |
| 12 | MEDIUM | No rollback mechanism for failed updates |
| 13 | LOW | index.txt branch resolution fetched over HTTP without verification |
| 14 | LOW | No uninstall mechanism |
| 15 | LOW | chmod 0755 on all downloaded binaries without content validation |
| 16 | INFO | Hardcoded SSH passwords for build hosts in release scripts |
| 17 | INFO | TMUX_PODMAN_TLS_VERIFY defaults to false |
| 18 | INFO | No Windows iwr\ | iex install pattern (Windows uses WSL launcher) |
Recommendations (Priority Order)
Implement SHA-256 checksum verification for all binary downloads (publish checksums alongside binaries)
Implement code signing (Authenticode for Windows, GPG for Linux)
Remove curl -k from all download paths
Remove hardcoded NAS credentials from source code
Implement binary hash verification in self-update mechanism
Add reproducible build pipeline with provenance attestation
17. Consolidated Risk Matrix
| Area | Finding | Severity | Windows | Recommendation |
|---|
| Install/Distribution | No cryptographic verification of binaries | CRITICAL | ✅ | Implement SHA-256 checksums + code signing |
| Install/Distribution | curl -k disables TLS during downloads | CRITICAL | ✅ | Remove curl -k flag |
| Install/Distribution | Hardcoded NAS/SMB credentials in source | CRITICAL | ✅ | Move to secrets management |
| Install/Distribution | curl\ | bash install pattern | CRITICAL | ❌ | Provide package manager / signed installer |
| TLS Security | SSL verification disabled in token fetchers | CRITICAL | ✅ | Set VERIFYPEER=1, VERIFYHOST=2 |
| TLS Security | SSL verification disabled for SMTP email | CRITICAL | ✅ | Enable certificate validation |
| Network Endpoints | Hardcoded private IP with credential path | CRITICAL | ✅ | Move to runtime config |
| Network Endpoints | Hardcoded public IP as default host | CRITICAL | ✅ | Use DNS hostname |
| File I/O | API keys logged to disk in HTTP headers | CRITICAL | ✅ | Redact sensitive headers |
| File I/O | VTRACE logs all secrets in plaintext | CRITICAL | ✅ | Apply is_sensitive() check |
| Command Injection | Windows CGI QUERY_STRING injection (CVSS 9.8) | CRITICAL | ✅ | Apply SX_SANITIZE_CMD |
| Command Injection | URL injection into system() | CRITICAL | ✅ | Use execvp() / sanitize input |
| Privilege Access | --privileged full root container | CRITICAL | ❌ | Linux-only, N/A for Windows |
| Network Endpoints | HTTP token endpoints (plaintext) | HIGH | ✅ | Migrate to HTTPS |
| TLS Security | Traffic proxy disables cert validation | HIGH | ✅ | Add configurable verification |
| TLS Security | FRP client disables mbedTLS verification | HIGH | ✅ | Enable MBEDTLS_SSL_VERIFY_REQUIRED |
| TLS Security | OAuth over unverified TLS | HIGH | ✅ | Enable verification |
| TLS Security | mbedTLS 3.6.3 known vulnerabilities | HIGH | ✅ | Update to 3.6.6 |
| File I/O | Predictable temp files (symlink attacks) | HIGH | ✅ | Use mkstemp()/mkdtemp() |
| File I/O | World-readable log files | HIGH | ✅ | Set permissions to 0600 |
| File I/O | World-readable session files | HIGH | ✅ | Set permissions to 0600 |
| Memory Safety | Missing NULL checks after calloc | HIGH | ✅ | Add NULL checks in sx.c |
| Memory Safety | Realloc overwrite pattern | HIGH | ✅ | Use temporary variable |
| Command Injection | WSL env variable injection | HIGH | ✅ | Sanitize env values |
| Command Injection | SDK repo path injection | HIGH | ✅ | Validate input |
| Install/Distribution | Self-update by file size only | HIGH | ✅ | Implement hash verification |
| Install/Distribution | Bridge auto-download no verification | HIGH | ✅ | Add checksum verification |
| Install/Distribution | No reproducible builds | HIGH | ✅ | Implement build provenance |
| Install/Distribution | SMB share distribution server | HIGH | ✅ | Use proper CDN with signed artifacts |
| Privilege Access | Server binds to 0.0.0.0 | HIGH | ✅ | Default to 127.0.0.1 |
| Privilege Access | DNS on privileged port 53 | HIGH | ✅ | Document privilege requirements |
| Supply Chain | mbedTLS outdated (11 advisories) | MEDIUM | ✅ | Update to 3.6.6 |
| Supply Chain | Pre-built binaries in repo | MEDIUM | ✅ | Build from source in CI |
| Build | Missing RELRO/noexecstack | MEDIUM | ✅ | Add linker flags for dynamic builds |
| Build | Bridge missing hardening flags | MEDIUM | ✅ | Add -fstack-protector-strong |
| Buffer Safety | Unclamped snprintf return → OOB read | MEDIUM | ✅ | Clamp to buffer size |
| Memory Safety | 82 error-path memory leaks | MEDIUM | ✅ | Add cleanup on error paths |
| Credential | Placeholder API key "xxx" | MEDIUM | ✅ | Replace with empty string |
| Telemetry | Documentation bug (help text vs default) | LOW | ✅ | Fix help text |
18. Conclusion & Recommendations
Overall Assessment
ScorpioX Code is a well-engineered C application with exceptional buffer safety discipline and a privacy-respecting telemetry model. The codebase demonstrates strong secure coding practices in its core string handling, with zero uses of unsafe functions across 151K lines of project code. The Windows deployment posture is clean, with no system-level modifications, no privilege escalation, and safe process spawning patterns.
However, the software has systemic TLS/SSL verification weaknesses that undermine transport security across multiple modules, a complete absence of cryptographic integrity verification in its binary distribution pipeline, and critical command injection vectors in network-reachable code paths.
Priority Remediation Roadmap
Immediate (Critical — Before Deployment)
Fix CGI command injection in scorpiox-server.c — apply SX_SANITIZE_CMD to QUERY_STRING and PATH_INFO
Enable SSL certificate verification in all token fetchers and email module
Migrate token endpoints from HTTP to HTTPS
Implement binary checksum verification (SHA-256) for all download paths
Remove hardcoded NAS/SMB credentials from source code
Short-Term (High — Within 30 Days)
Update vendored mbedTLS from 3.6.3 to 3.6.6
Set log and session file permissions to 0600
Replace predictable temp file patterns with mkstemp()/mkdtemp()
Add NULL checks after all allocation calls in sx.c
Implement code signing (Authenticode for Windows .exe)
Medium-Term (Medium — Within 90 Days)
Implement reproducible build pipeline with provenance attestation
Address 82 error-path memory leak locations
Clamp snprintf return values before passing to send_all()
Replace system() calls with execvp()/CreateProcessW where feasible
Default server bindings to 127.0.0.1 instead of 0.0.0.0
Risk Acceptance Note
For Windows workstation deployment, the software's risk profile is manageable. The Linux-only findings (rootless container runtime, unshare privileged mode) do not apply. The Windows-specific risk is dominated by the CGI command injection in scorpiox-server.c (CVSS 9.8) — this should be the top-priority fix. All other Windows findings are HIGH or lower.
19. Appendix: Audit Methodology
Agents Deployed
| # | Agent | Scope | Method |
|---|
| 01 | supply-chain | Package dependencies, vendored libraries, lock files | Dependency tree analysis, version comparison, CVE lookup |
| 02 | build-provenance | CMake configuration, compiler flags, build scripts | Build system parsing, flag analysis |
| 03 | network-endpoints | URLs, IPs, ports, DNS in source code | Static string extraction, protocol analysis |
| 04 | tls-security | Certificate verification, TLS configuration, cipher suites | libcurl/mbedTLS configuration analysis |
| 05 | credential-hardcode | API keys, passwords, tokens, secrets in source | Pattern matching, entropy analysis |
| 06 | file-io | File operations, permissions, temp files, logging | System call tracing, permission analysis |
| 07 | buffer-safety | sprintf/strcpy/strcat usage, stack buffers, bounds checking | Unsafe function enumeration, bounds analysis |
| 08 | memory-safety | malloc/calloc/realloc NULL checks, use-after-free, double-free, leaks | Allocation tracking, error-path analysis |
| 09 | command-injection | system()/popen()/exec*() with unsanitized input | Taint analysis, sink identification |
| 10 | privilege-access | setuid/setgid/chroot/capabilities, root requirements | Privilege call enumeration, access control review |
| 11 | windows-deployment | Windows-specific binaries, APIs, deployment patterns | Platform-conditional code analysis |
| 12 | telemetry-tracking | Data collection, tracking, phone-home behavior | Configuration default analysis, network call audit |
| 13 | install-script | Distribution mechanism, update pipeline, integrity verification | Install flow analysis, cryptographic verification audit |
Scope
- In scope: All project source code (151,487 lines across ~223 C/H files)
- Partial scope: Vendored libraries (mbedTLS, yyjson) — version and configuration analysis only
- Out of scope: Third-party system libraries (libcurl, OpenSSL, zlib), runtime behavior testing, penetration testing
Severity Definitions
| Level | Definition |
|---|
| Critical | Exploitable vulnerability with direct security impact (RCE, credential theft, MITM on auth) |
| High | Significant security weakness requiring attacker positioning or configuration (privilege escalation, data exposure) |
| Medium | Defensive gap that increases attack surface or reduces security margin |
| Low | Minor issue with limited practical impact |
| Info | Observation or positive finding for completeness |