📄 security-audit-report.md
⬇ Download Raw

Third-Party Software Security Review — ScorpioX Code

Software: ScorpioX Code Type: AI-Powered Development Tool / CLI Platform Language: Pure C (zero external dependencies) Audit Date: 2026-04-28 Codebase Commit: 9bfa5b461aa008cd7a1713d37c9aa6c44cecc4ce Classification: CONFIDENTIAL — For Corporate Review Only

1. Executive Summary

This report presents a comprehensive security audit of ScorpioX Code, an AI-powered development tool and CLI platform written in pure C. The audit was performed by 13 specialized automated agents, each analyzing a distinct security domain across 378,558 total lines of code (151,487 project code, 226,685 vendor code).

Overall Risk Rating: HIGH

The software demonstrates exceptional discipline in several areas — notably zero uses of unsafe string functions (strcpy, strcat, gets, scanf), a safe-to-unsafe function ratio exceeding 2,800:1, all telemetry disabled by default, and comprehensive use of bounded buffer operations. However, significant risks persist in TLS certificate verification (systematically disabled across token fetchers and email), command injection vectors in network-reachable code paths, a complete absence of cryptographic integrity verification for binary distribution, and sensitive data exposure through log files.

Aggregate Findings

SeverityCount
Critical13
High33
Medium120
Low28
Informational355
Total549
Windows-Filtered Findings (excluding Linux/macOS-only): 11 Critical, 28 High, 118 Medium, 28 Low — 185 actionable findings.

Key Strengths

Critical Concerns

  • No cryptographic verification of distributed binaries (no checksums, signatures, or code signing)
  • SSL certificate verification disabled in token fetchers and email module (MITM risk)
  • Command injection vectors in network-reachable server code (Windows CGI path)
  • Sensitive data logged to disk including API keys in HTTP headers and VTRACE config dumps
  • Outdated vendored mbedTLS (3.6.3 vs 3.6.6) with 11 unpatched security advisories

  • 2. Deployment Scope — Windows Workstation

    Primary Deployment: Windows Workstation

    The following binaries are compiled and deployed on Windows:

    CategoryBinaries
    Core CLIsx.exe, scorpiox-config.exe, scorpiox-bash.exe, scorpiox-vi.exe
    Shell & Toolsscorpiox-busybox.exe, scorpiox-pwsh.exe, scorpiox-wsl.exe
    AI/APIscorpiox-agent.exe, scorpiox-openai.exe, scorpiox-gemini.exe
    Networkingscorpiox-fetch.exe, scorpiox-websearch.exe, scorpiox-dns.exe
    Mediascorpiox-screenshot.exe, scorpiox-renderimage.exe, scorpiox-voice.exe
    Auth/Tokenscorpiox-claudecode-fetchtoken.exe, scorpiox-codex-fetchtoken.exe, scorpiox-gemini-fetchtoken.exe
    Serverscorpiox-server.exe, scorpiox-server-email.exe, scorpiox-server-http2tcp.exe
    Utilitiesscorpiox-conv.exe, scorpiox-debug.exe, scorpiox-email.exe, scorpiox-frp.exe, scorpiox-hook.exe, scorpiox-host.exe, scorpiox-kql.exe, scorpiox-logger.exe, scorpiox-mcp.exe, scorpiox-mirror-git.exe, scorpiox-multiplexer.exe, scorpiox-otp.exe, scorpiox-planmode.exe, scorpiox-printlogs.exe, scorpiox-rewind.exe, scorpiox-runtest.exe, scorpiox-sdk.exe, scorpiox-search.exe, scorpiox-skills.exe, scorpiox-systemprompt.exe, scorpiox-tasks.exe, scorpiox-tmux.exe, scorpiox-transcript.exe, scorpiox-usage.exe, scorpiox-vault-git.exe, scorpiox-emit-session.exe, scorpiox-executecurl.exe, scorpiox-askuserquestion.exe, scorpiox-beam.exe, scorpiox-docs.exe, scorpiox-server-fetchtoken.exe
    Librarylibsx.dll
    Total Windows binaries: ~58 executables + 1 DLL

    Linux-Only Binaries (Not Deployed on Windows)

    BinaryPurpose
    scorpiox-unshareRootless container runtime (Linux namespaces)
    scorpiox-vmQEMU/KVM hypervisor manager
    scorpiox-initContainer init process
    scorpiox-sshpassPTY-based SSH password feeder
    scorpiox-trafficNetwork traffic proxy
    scorpiox-podmanPodman container integration
    scorpiox-cronCron job scheduler
    scorpiox-whatsappWhatsApp bridge manager

    macOS-Only Binaries

    BinaryPurpose
    scorpiox-imessageiMessage AppleScript bridge

    Windows-Filtered Risk Summary

    After excluding Linux-only and macOS-only findings:

    SeverityAll PlatformsWindows-RelevantExcluded
    Critical13112 (unshare privileged, curl\bash Linux install)
    High33285 (unshare, sshpass, imessage, podman)
    Medium1201182 (unshare namespace, auto-subuid)
    Low28280
    Actionable Total1941859

    3. Changes Since Last Audit

    Previous Audit: output/2026-04-28_4d61a6a (commit 4d61a6a) Previous Agents: 11 (supply-chain through windows-deployment) Current Agents: 13 (added telemetry-tracking, install-script)

    Severity Comparison

    SeverityPreviousCurrentDeltaNotes
    Critical1013+3Install script audit added 4 new CRITICAL findings
    High2533+8Install script (4), expanded memory-safety analysis
    Medium70120+50Memory-safety error-path leaks (82) now enumerated individually
    Low12328−95Reclassification: many prior LOW findings moved to INFO
    Info167355+188Memory-safety dangling pointers (291) now tracked as INFO
    Total395549+154Expanded audit scope (2 new agents) + deeper analysis

    Key Changes

  • New: Telemetry & Tracking Audit — Confirmed all telemetry disabled by default (LOW risk)
  • New: Install Script Audit — Uncovered 4 CRITICAL findings in binary distribution pipeline
  • Memory Safety — Deeper analysis now tracks 291 INFO-level dangling pointer risks and 82 MEDIUM error-path memory leaks
  • Codebase Size — Reduced from 398,610 to 378,558 total lines (cleanup of duplicate/plan files)

  • 4. Supply Chain & Dependencies

    Agent Risk Rating: MEDIUM

    Key Findings

    #SeverityFinding
    1MEDIUMVendored mbedTLS 3.6.3 is 3 patch releases behind LTS 3.6.6 — 11 security advisories unpatched
    2MEDIUMTwo pre-built ELF binaries committed to repository (bridge/scorpiox-ws2tcp, ARM64 variant)
    3LOWnpm release candidate dependency (@whiskeysockets/baileys@7.0.0-rc.9)
    4LOW~105 transitive npm dependencies in bridge component
    5INFOAll system dependencies (libcurl, OpenSSL, zlib) are standard OS-packaged libraries
    6INFOyyjson 0.12.0 is current — no known CVEs
    7INFOgnuwin64 vendor contains only download scripts, no committed binaries
    8INFOLock file (bun.lock) committed with integrity hashes

    Recommendations


    5. Build System & Code Provenance

    Agent Risk Rating: LOW

    Key Findings

    #SeverityFinding
    1MEDIUMMissing linker hardening flags (RELRO, noexecstack) — mitigated by static linking default
    2MEDIUMBridge Makefile lacks -fstack-protector-strong and -D_FORTIFY_SOURCE=2
    3LOWModel header code generator (tests/code_generator_models.py) fetches from network at build time
    4LOWSuppressed GCC warnings (-Wno-format-truncation, -Wno-stringop-truncation)
    5LOWNo reproducible build mechanism (no build provenance attestation)
    6INFOC11 standard, CMake 3.16+, pure C project
    7INFOStatic linking default (SX_STATIC_LINK=ON) reduces runtime attack surface
    8INFOfstack-protector-strong enabled on all builds
    9INFO_FORTIFY_SOURCE=2 enabled for release builds
    10INFOfcf-protection enabled for GCC builds

    Hardening Flags Summary

    FlagStatus
    -Wall -Wextra✅ Enabled
    -fstack-protector-strong✅ Enabled
    -D_FORTIFY_SOURCE=2✅ Release builds
    -fcf-protection✅ GCC builds
    -Wl,-z,relro -Wl,-z,now❌ Missing (mitigated by static linking)
    -fPIE -pie❌ N/A for static builds
    -fstack-clash-protection❌ Missing

    6. Network Endpoints

    Agent Risk Rating: HIGH

    Key Findings

    #SeverityFinding
    1CRITICALHardcoded private network IP (192.168.1.12:8045) with default credential path for Anthropic proxy
    2CRITICALHardcoded public IP (20.53.240.54) as default TCP relay host
    3HIGHPlaintext HTTP endpoints for authentication token retrieval (token.scorpiox.net)
    4HIGHPAT (Personal Access Token) injected into HTTPS clone URLs
    5HIGHHTTP metadata endpoints (169.254.169.254) for cloud token retrieval
    6HIGHFRP tunnel configuration with hardcoded server endpoint
    7HIGHSSH connection strings with credential interpolation
    8MEDIUM10+ hardcoded dist.scorpiox.net URLs for binary distribution
    9MEDIUMHardcoded DNS resolvers (1.1.1.1, 8.8.8.8)
    10MEDIUMOAuth2 token exchange URLs for Google, Microsoft identity providers

    Network Inventory Summary

    Recommendations


    7. TLS/SSL Security

    Agent Risk Rating: HIGH

    Key Findings

    #SeverityFindingCWE
    1CRITICALSSL verification disabled in 3 token fetchers (CURLOPT_SSL_VERIFYPEER=0)CWE-295
    2CRITICALSSL verification disabled for SMTP/TLS email sendingCWE-295
    3HIGHAuthentication tokens fetched over plaintext HTTPCWE-319
    4HIGHTraffic proxy disables all upstream certificate validationCWE-295
    5HIGHFRP tunnel client uses mbedTLS with MBEDTLS_SSL_VERIFY_NONECWE-295
    6HIGHOAuth token exchange over unverified connectionsCWE-295
    7HIGHVendored mbedTLS 3.6.3 has known TLS 1.3 impersonation vulnerabilityCWE-295
    8MEDIUMNo certificate pinning for any first-party servicesCWE-295
    9MEDIUMMixed use of system CA store and disabled verification across modules
    10LOWTMUX_PODMAN_TLS_VERIFY defaults to falseCWE-295

    TLS Verification Status by Module

    ModuleVerificationStatus
    scorpiox-gemini-fetchtokenDisabled❌ CRITICAL
    scorpiox-codex-fetchtokenDisabled❌ CRITICAL
    scorpiox-claudecode-fetchtokenDisabled❌ CRITICAL
    scorpiox-emailDisabled❌ CRITICAL
    scorpiox-trafficDisabled (by design — proxy)⚠️ HIGH
    scorpiox-frpDisabled (mbedTLS)⚠️ HIGH
    scorpiox-codex-refreshtokenEnabled
    scorpiox-claudecode-refreshtokenEnabled
    sx (main AI client)System CA store

    Recommendations


    8. Hardcoded Credentials

    Agent Risk Rating: LOW

    Key Findings

    #SeverityFinding
    1MEDIUMPlaceholder API key "xxx" compiled as default for OPENAI_API_KEY
    2LOWSSH credential placeholder fields (_PASS) in compiled defaults
    3LOWHardcoded infrastructure IPs (192.168.1.12, 20.53.240.54) in defaults
    4INFO20+ API key fields correctly initialized to empty strings
    5INFOsx_config_is_sensitive() function properly redacts known secret fields

    Positive Patterns

    Recommendations


    9. File I/O & Data Handling

    Agent Risk Rating: HIGH

    Key Findings

    #SeverityFindingCWE
    1CRITICALAPI request/response bodies logged to disk including API keys in HTTP headersCWE-532
    2CRITICALConfig VTRACE logs ALL key-value pairs including secrets (bypasses redaction)CWE-532
    3HIGHPredictable temp file names enable symlink attacks (TOCTOU)CWE-377
    4HIGHHardcoded log paths with world-readable default permissions (0644)CWE-732
    5HIGHSession conversation files readable by all local usersCWE-732
    6MEDIUMNo file locking on concurrent config reads/writesCWE-362
    7MEDIUMDownloaded files stored without integrity verificationCWE-354
    8MEDIUMEmail body written to temp file before sending (plaintext)CWE-312
    9MEDIUMWSL overlay filesystem operations use predictable pathsCWE-377
    10MEDIUMContainer image extraction without path traversal checks (tar)CWE-22

    Positive Patterns

    Recommendations


    10. Buffer Safety

    Agent Risk Rating: LOW

    Key Findings

    #SeverityFinding
    1MEDIUM5 locations where unclamped snprintf return value passed to send_all() (potential OOB read on truncation)
    2MEDIUM4 locations where HTTP response headers constructed without clamping snprintf return
    3MEDIUMurl_encode() theoretical integer overflow on 32-bit: len * 3 + 1
    4MEDIUMsxmail_dkim.c:414 — 32KB stack buffer for DKIM signing
    5MEDIUMscorpiox-tmux.c:2323 — 16KB stack buffer for command assembly
    6LOWSingle sprintf in vendored yyjson (conditional fallback path)
    7LOWstrncpy used in 593 locations — proper sizeof()-1 pattern but no NUL guarantee on exact-fit

    Exceptional Metrics

    MetricValue
    sprintf calls (project code)0
    strcpy calls0
    strcat calls0
    gets calls0
    scanf calls0
    snprintf calls2,213
    strncpy calls593
    Safe-to-unsafe ratio>2,800:1
    Stack buffers ≥ 4KB214 (all bounded with sizeof())

    11. Memory Safety

    Agent Risk Rating: HIGH

    Key Findings

    #SeverityCountFinding
    1HIGH5Missing NULL checks after calloc() in sx.c (AgentThread allocation)
    2HIGH1realloc() result assigned directly to source pointer in sx_mcp.c (memory leak on failure)
    3MEDIUM82Memory leaks on error paths — allocations not freed before early return
    4INFO291Freed pointers not set to NULL (dangling pointer risk)

    Analysis Summary

    CategoryCountSeverity
    Missing malloc/calloc NULL check5HIGH
    Realloc overwrite pattern1HIGH
    Memory leak on error path82MEDIUM
    Free without NULL assignment291INFO

    Recommendations


    12. Command Injection

    Agent Risk Rating: CRITICAL

    Key Findings

    #SeverityFindingCVSS
    1CRITICALscorpiox-docs.c — URL injected into system() without sanitization7.8 (local)
    2CRITICALscorpiox-server.c — Windows CGI QUERY_STRING/PATH_INFO not sanitized in _popen()9.8 (network)
    3HIGHscorpiox-imessage.c — AppleScript injection via incomplete escaping (macOS-only)8.6
    4HIGHscorpiox-wsl.c — Environment variable injection into chroot shell command7.8
    5HIGHscorpiox-sdk.c — SDK repo path injected into shell commands7.8
    6HIGHscorpiox-unshare.c — Container hostname/command injection (Linux-only)7.8
    7MEDIUMscorpiox-multiplexer.c — Session name used in system()6.5
    8MEDIUMscorpiox-tmux.c — Project path interpolated into shell commands6.5
    9MEDIUMscorpiox-host.c — Hostname injected into shell strings6.5
    10MEDIUMscorpiox-kql.c — KQL query passed to system()6.5

    System Call Inventory

    FunctionCount (project code)
    system()77+
    popen()30+
    exec*()40+

    Windows-Critical: C2 (CVSS 9.8)

    The scorpiox-server.c Windows CGI path uses _popen() with unsanitized QUERY_STRING and PATH_INFO from HTTP requests. An attacker can break out of the set "..." command on Windows to execute arbitrary commands remotely. This is the highest-severity finding in the entire audit.

    Recommendations


    13. Privilege & Access Control

    Agent Risk Rating: MEDIUM

    Key Findings

    #SeverityFinding
    1CRITICALscorpiox-unshare --privileged runs container with full root capabilities (Linux-only)
    2HIGHscorpiox-wsl uses chroot with shell-interpolated environment variables (Windows)
    3HIGHscorpiox-sshpass disables SSH host key verification by default (Linux-only)
    4HIGHscorpiox-unshare auto-creates /etc/subuid and /etc/subgid when root (Linux-only)
    5HIGHMultiple server components bind to 0.0.0.0 by default (all interfaces)
    6HIGHDNS server (scorpiox-dns) listens on privileged port 53
    7HIGHnewuidmap/newgidmap setuid helper reliance (Linux-only)
    8MEDIUMNo rate limiting or authentication on local server endpoints
    9MEDIUMContainer hostname written to /etc/hostname inside namespace
    10MEDIUMJWT validation uses hardcoded issuer/audience URLs
    11MEDIUMServer email component stores SMTP credentials in config
    12MEDIUMsetgroups allowed when full UID range available

    Windows-Relevant Privilege Findings

    After excluding Linux-only findings (unshare, sshpass, podman, cron):

    Positive Patterns


    14. Windows Deployment Analysis

    Agent Risk Rating: LOW

    Key Findings

    #SeverityFinding
    1INFOMinGW static linking with vendored mbedTLS and yyjson
    2INFOscorpiox-wsl uses _spawnvp() instead of system() — safe pattern
    3INFOSelf-update uses atomic NTFS rename chain
    4INFOscorpiox-busybox is offline-only with minimal attack surface
    5INFONo Windows-specific privilege escalation (no service installation, no registry modification)
    6INFOWindows Defender / SmartScreen may flag unsigned executables
    7INFOCreateProcessA() used safely for process spawning
    8INFOWinInet API used for HTTPS downloads (inherits system TLS settings)

    Windows-Specific Security Posture

    PropertyStatus
    Code signing❌ Not implemented
    Windows service installation❌ Not applicable (CLI tool)
    Registry modification❌ None
    UAC elevation❌ Not required
    Windows Firewall rules❌ Not modified
    system() on WindowsLimited — _spawnvp() preferred
    DLL search order hijackingLow risk — static linking minimizes DLLs

    Assessment

    The Windows deployment profile is clean. The software operates as an unprivileged CLI application with no system-level modifications. The primary risk on Windows is the unsigned binary distribution (may trigger SmartScreen warnings) and the CGI command injection in scorpiox-server.c (covered in Section 12).


    15. Telemetry and Tracking

    Agent Risk Rating: LOW

    Key Findings

    #SeverityFinding
    1LOWDocumentation bug: help text states USAGE_TRACKING defaults to 1 but compiled default is "0"
    2INFOAll telemetry disabled by default (USAGE_TRACKING=0, EMIT_SESSION_TRACKING=0)
    3INFONo mandatory data collection — zero data sent unless user explicitly enables
    4INFOUsage tracking collects hostname, username, project name when enabled
    5INFOSession telemetry sends full conversation content when enabled (documented)
    6INFONo third-party analytics, advertising SDKs, or fingerprinting
    7INFOUpdate check only in scorpiox-wsl helper, not main sx binary
    8INFOWhatsApp bridge auto-download only triggers when feature explicitly used

    Telemetry Configuration Defaults

    FeatureDefaultUser Control
    Usage trackingDisabled (0)USAGE_TRACKING config key
    Session telemetryDisabled (0)EMIT_SESSION_TRACKING config key
    Auto-update checkDisabled (empty URL)UPDATE_URL config key
    Bridge auto-downloadOn-demandOnly when WhatsApp feature used

    Assessment

    Excellent privacy posture. No tracking by default, no mandatory data collection, full user control over all telemetry features. The session telemetry feature (which sends conversation content) is appropriately documented as sensitive and disabled by default.

    16. Install Script & Distribution Security

    Agent Risk Rating: CRITICAL

    Key Findings

    #SeverityFinding
    1CRITICALNo cryptographic integrity verification of any downloaded binary (no checksums, GPG, code signing)
    2CRITICALcurl -k disables TLS verification during binary downloads in tmux and podman modules
    3CRITICALHardcoded NAS/SMB credentials for distribution server in plaintext across 15+ files
    4CRITICALcurl\bash install pattern executes remote code without any verification
    5HIGHSelf-update uses file-size comparison only (no hash or signature)
    6HIGHBridge binary auto-download has no integrity verification
    7HIGHNo reproducible build process or build provenance attestation
    8HIGHDistribution server backed by SMB share with shared credentials
    9MEDIUMContainer image downloads have no integrity checks
    10MEDIUMInstall path ~/.scorpiox not protected by restrictive permissions
    11MEDIUMSame-size binary replacement not detected by update mechanism
    12MEDIUMNo rollback mechanism for failed updates
    13LOWindex.txt branch resolution fetched over HTTP without verification
    14LOWNo uninstall mechanism
    15LOWchmod 0755 on all downloaded binaries without content validation
    16INFOHardcoded SSH passwords for build hosts in release scripts
    17INFOTMUX_PODMAN_TLS_VERIFY defaults to false
    18INFONo Windows iwr\iex install pattern (Windows uses WSL launcher)

    Recommendations (Priority Order)

  • Implement SHA-256 checksum verification for all binary downloads (publish checksums alongside binaries)
  • Implement code signing (Authenticode for Windows, GPG for Linux)
  • Remove curl -k from all download paths
  • Remove hardcoded NAS credentials from source code
  • Implement binary hash verification in self-update mechanism
  • Add reproducible build pipeline with provenance attestation

  • 17. Consolidated Risk Matrix

    AreaFindingSeverityWindowsRecommendation
    Install/DistributionNo cryptographic verification of binariesCRITICALImplement SHA-256 checksums + code signing
    Install/Distributioncurl -k disables TLS during downloadsCRITICALRemove curl -k flag
    Install/DistributionHardcoded NAS/SMB credentials in sourceCRITICALMove to secrets management
    Install/Distributioncurl\bash install patternCRITICALProvide package manager / signed installer
    TLS SecuritySSL verification disabled in token fetchersCRITICALSet VERIFYPEER=1, VERIFYHOST=2
    TLS SecuritySSL verification disabled for SMTP emailCRITICALEnable certificate validation
    Network EndpointsHardcoded private IP with credential pathCRITICALMove to runtime config
    Network EndpointsHardcoded public IP as default hostCRITICALUse DNS hostname
    File I/OAPI keys logged to disk in HTTP headersCRITICALRedact sensitive headers
    File I/OVTRACE logs all secrets in plaintextCRITICALApply is_sensitive() check
    Command InjectionWindows CGI QUERY_STRING injection (CVSS 9.8)CRITICALApply SX_SANITIZE_CMD
    Command InjectionURL injection into system()CRITICALUse execvp() / sanitize input
    Privilege Access--privileged full root containerCRITICALLinux-only, N/A for Windows
    Network EndpointsHTTP token endpoints (plaintext)HIGHMigrate to HTTPS
    TLS SecurityTraffic proxy disables cert validationHIGHAdd configurable verification
    TLS SecurityFRP client disables mbedTLS verificationHIGHEnable MBEDTLS_SSL_VERIFY_REQUIRED
    TLS SecurityOAuth over unverified TLSHIGHEnable verification
    TLS SecuritymbedTLS 3.6.3 known vulnerabilitiesHIGHUpdate to 3.6.6
    File I/OPredictable temp files (symlink attacks)HIGHUse mkstemp()/mkdtemp()
    File I/OWorld-readable log filesHIGHSet permissions to 0600
    File I/OWorld-readable session filesHIGHSet permissions to 0600
    Memory SafetyMissing NULL checks after callocHIGHAdd NULL checks in sx.c
    Memory SafetyRealloc overwrite patternHIGHUse temporary variable
    Command InjectionWSL env variable injectionHIGHSanitize env values
    Command InjectionSDK repo path injectionHIGHValidate input
    Install/DistributionSelf-update by file size onlyHIGHImplement hash verification
    Install/DistributionBridge auto-download no verificationHIGHAdd checksum verification
    Install/DistributionNo reproducible buildsHIGHImplement build provenance
    Install/DistributionSMB share distribution serverHIGHUse proper CDN with signed artifacts
    Privilege AccessServer binds to 0.0.0.0HIGHDefault to 127.0.0.1
    Privilege AccessDNS on privileged port 53HIGHDocument privilege requirements
    Supply ChainmbedTLS outdated (11 advisories)MEDIUMUpdate to 3.6.6
    Supply ChainPre-built binaries in repoMEDIUMBuild from source in CI
    BuildMissing RELRO/noexecstackMEDIUMAdd linker flags for dynamic builds
    BuildBridge missing hardening flagsMEDIUMAdd -fstack-protector-strong
    Buffer SafetyUnclamped snprintf return → OOB readMEDIUMClamp to buffer size
    Memory Safety82 error-path memory leaksMEDIUMAdd cleanup on error paths
    CredentialPlaceholder API key "xxx"MEDIUMReplace with empty string
    TelemetryDocumentation bug (help text vs default)LOWFix help text

    18. Conclusion & Recommendations

    Overall Assessment

    ScorpioX Code is a well-engineered C application with exceptional buffer safety discipline and a privacy-respecting telemetry model. The codebase demonstrates strong secure coding practices in its core string handling, with zero uses of unsafe functions across 151K lines of project code. The Windows deployment posture is clean, with no system-level modifications, no privilege escalation, and safe process spawning patterns.

    However, the software has systemic TLS/SSL verification weaknesses that undermine transport security across multiple modules, a complete absence of cryptographic integrity verification in its binary distribution pipeline, and critical command injection vectors in network-reachable code paths.

    Priority Remediation Roadmap

    Immediate (Critical — Before Deployment)

  • Fix CGI command injection in scorpiox-server.c — apply SX_SANITIZE_CMD to QUERY_STRING and PATH_INFO
  • Enable SSL certificate verification in all token fetchers and email module
  • Migrate token endpoints from HTTP to HTTPS
  • Implement binary checksum verification (SHA-256) for all download paths
  • Remove hardcoded NAS/SMB credentials from source code
  • Short-Term (High — Within 30 Days)

  • Update vendored mbedTLS from 3.6.3 to 3.6.6
  • Set log and session file permissions to 0600
  • Replace predictable temp file patterns with mkstemp()/mkdtemp()
  • Add NULL checks after all allocation calls in sx.c
  • Implement code signing (Authenticode for Windows .exe)
  • Medium-Term (Medium — Within 90 Days)

  • Implement reproducible build pipeline with provenance attestation
  • Address 82 error-path memory leak locations
  • Clamp snprintf return values before passing to send_all()
  • Replace system() calls with execvp()/CreateProcessW where feasible
  • Default server bindings to 127.0.0.1 instead of 0.0.0.0
  • Risk Acceptance Note

    For Windows workstation deployment, the software's risk profile is manageable. The Linux-only findings (rootless container runtime, unshare privileged mode) do not apply. The Windows-specific risk is dominated by the CGI command injection in scorpiox-server.c (CVSS 9.8) — this should be the top-priority fix. All other Windows findings are HIGH or lower.


    19. Appendix: Audit Methodology

    Agents Deployed

    #AgentScopeMethod
    01supply-chainPackage dependencies, vendored libraries, lock filesDependency tree analysis, version comparison, CVE lookup
    02build-provenanceCMake configuration, compiler flags, build scriptsBuild system parsing, flag analysis
    03network-endpointsURLs, IPs, ports, DNS in source codeStatic string extraction, protocol analysis
    04tls-securityCertificate verification, TLS configuration, cipher suiteslibcurl/mbedTLS configuration analysis
    05credential-hardcodeAPI keys, passwords, tokens, secrets in sourcePattern matching, entropy analysis
    06file-ioFile operations, permissions, temp files, loggingSystem call tracing, permission analysis
    07buffer-safetysprintf/strcpy/strcat usage, stack buffers, bounds checkingUnsafe function enumeration, bounds analysis
    08memory-safetymalloc/calloc/realloc NULL checks, use-after-free, double-free, leaksAllocation tracking, error-path analysis
    09command-injectionsystem()/popen()/exec*() with unsanitized inputTaint analysis, sink identification
    10privilege-accesssetuid/setgid/chroot/capabilities, root requirementsPrivilege call enumeration, access control review
    11windows-deploymentWindows-specific binaries, APIs, deployment patternsPlatform-conditional code analysis
    12telemetry-trackingData collection, tracking, phone-home behaviorConfiguration default analysis, network call audit
    13install-scriptDistribution mechanism, update pipeline, integrity verificationInstall flow analysis, cryptographic verification audit

    Scope

    Severity Definitions

    LevelDefinition
    CriticalExploitable vulnerability with direct security impact (RCE, credential theft, MITM on auth)
    HighSignificant security weakness requiring attacker positioning or configuration (privilege escalation, data exposure)
    MediumDefensive gap that increases attack surface or reduces security margin
    LowMinor issue with limited practical impact
    InfoObservation or positive finding for completeness