📄 security-audit-report.md
⬇ Download Raw

Third-Party Software Security Review — ScorpioX Code

Software: ScorpioX Code Type: AI-Powered Development Tool / CLI Platform Language: Pure C (zero external dependencies) Audit Date: 2026-04-29 Codebase Commit: b79400081eaa311219dd5d16aa7813f6ccbebba4 Classification: CONFIDENTIAL — For Corporate Review Only

1. Executive Summary

This report presents a comprehensive security audit of ScorpioX Code, an AI-powered development CLI platform written in pure C11 with zero external package-manager dependencies. The audit was conducted by 13 specialized automated agents covering supply chain, build provenance, network communications, TLS, credential handling, file I/O, buffer safety, memory safety, command injection, privilege management, Windows deployment, telemetry, and install/distribution security.

Key Metrics

MetricValue
Total Lines of Code (C/H)374,613
Project Code138,485 (37%)
Vendored Libraries236,128 (63%)
Vendored LibrariesmbedTLS 3.6.6, yyjson 0.12.0, stb_image 2.30
Total Findings272
Critical3
High20
Medium45
Low106
Informational98
Windows-Filtered Findings10 (all Info)
Overall Risk RatingMEDIUM

Summary Assessment

The codebase demonstrates strong security fundamentals: zero use of unsafe C functions (sprintf, strcpy, strcat, gets), comprehensive snprintf/strncpy usage (2,232+ bounded format calls), all secrets loaded from runtime configuration with empty compiled defaults, TLS 1.2+ enforced by default with certificate verification enabled, and all telemetry disabled by default. The vendored dependencies (mbedTLS 3.6.6, yyjson 0.12.0, stb_image 2.30) are all current with no known unpatched CVEs.

The primary risk areas are:

  • Install & Distribution Security (HIGH) — Missing HTTPS scheme on an install URL (curl | bash), no code signing, SHA256 checksums co-located with binaries, and container image downloads lacking integrity verification.
  • Command Injection (HIGH) — Multiple system() calls with environment-variable or config-driven inputs, particularly on Windows code paths where fork()+execvp() is unavailable.
  • Memory Safety (MEDIUM) — 93 allocation sites without NULL checks, 6 in critical network code paths, plus resource leaks on error paths.
  • File I/O (MEDIUM) — Predictable temp file names in two code paths, unbounded API request/response logging to disk.
  • For Windows workstation deployment, the risk profile is LOW. All 10 Windows-specific findings are informational. The Windows build uses safe process APIs (_spawnvp, CreateProcess), SHA256-verified downloads, configurable endpoints, and no hardcoded secrets.

    2. Deployment Scope — Windows Workstation

    2.1 Primary Deployment: Windows Workstation

    The following binaries are compiled for and deployed on Windows:

    BinaryPurpose
    sx.exeMain TUI — Claude AI interactive session
    scorpiox.exeAlias/launcher
    scorpiox-bash.exeShell command executor (CreateProcess + pipes)
    scorpiox-busybox.exeGNU coreutils manager (Windows-only)
    scorpiox-screenshot.exeScreen capture tool
    scorpiox-vi.exeText editor
    scorpiox-config.exeConfiguration manager
    scorpiox-websearch.exeWeb search tool
    scorpiox-fetch.exeURL content fetcher
    scorpiox-renderimage.exeImage renderer
    scorpiox-pwsh.exePowerShell integration
    scorpiox-wsl.exeWSL2 container runtime (Windows-only)

    Additional Windows-compiled binaries include: scorpiox-voice, scorpiox-server, scorpiox-otp, scorpiox-transcript, scorpiox-conv, scorpiox-rewind, scorpiox-debug, scorpiox-logger, scorpiox-printlogs, scorpiox-systemprompt, scorpiox-search, scorpiox-agent, scorpiox-tasks, scorpiox-skills, scorpiox-planmode, scorpiox-askuserquestion, scorpiox-gemini, scorpiox-mcp, scorpiox-beam, scorpiox-host, scorpiox-openai, scorpiox-claudecode-fetchtoken, scorpiox-claudecode-refreshtoken, scorpiox-codex-refreshtoken, scorpiox-claudecode-models, scorpiox-codex-fetchtoken, scorpiox-gemini-fetchtoken, scorpiox-server-fetchtoken, scorpiox-server-http2tcp, scorpiox-sdk, scorpiox-email, scorpiox-server-email, scorpiox-usage, scorpiox-emit-session, scorpiox-frp, scorpiox-hook, scorpiox-tmux, scorpiox-multiplexer, scorpiox-mirror-git, scorpiox-vault-git, scorpiox-dns, scorpiox-kql, libsx.dll.

    2.2 Server-Side / Linux-Only (Not Deployed to Workstations)

    BinaryPlatformPurpose
    scorpiox-unshareLinuxRootless container runtime (namespaces)
    scorpiox-vmLinuxKVM virtual machine runner
    scorpiox-initLinuxContainer init/tool loader
    scorpiox-sshpassUnixSSH password helper
    scorpiox-podmanLinuxPodman container wrapper
    scorpiox-trafficLinuxMITM traffic inspector
    scorpiox-cronLinuxCron job manager
    scorpiox-whatsappLinuxWhatsApp bridge
    scorpiox-docsLinuxDocumentation generator
    scorpiox-runtestLinuxTest runner
    scorpiox-executecurlLinuxcURL executor
    scorpiox-thunderbolt4macOSThunderbolt4 networking
    scorpiox-imessagemacOSiMessage bridge

    2.3 Windows-Filtered Findings

    SeverityFull AuditWindows Only
    Critical30
    High200
    Medium450
    Low1060
    Info9810
    Total27210

    The vast majority of critical, high, and medium findings relate to Linux-only components (container runtime, VM runner, MITM proxy) or Linux-only code paths (fork()+execvp() patterns, Unix temp files, privileged port binding). The Windows deployment surface is materially safer.


    3. Changes Since Last Audit

    PropertyPrevious AuditCurrent AuditDelta
    Audit Date2026-04-282026-04-29+1 day
    Commitb85fca98b7940008New commit
    Lines of Code369,205374,613+5,408
    Project LOC143,309138,485-4,824
    Vendor LOC225,896236,128+10,232
    Agents Used5 (broad-scope)13 (specialized)+8 agents
    Overall RiskMEDIUMMEDIUMNo change

    Findings Delta by Severity

    SeverityPreviousCurrentDeltaNotes
    Critical113-8Deeper analysis reclassified many previous criticals; remaining 3 are install/distribution and privilege
    High1420+6More granular agents found additional high-severity items in memory safety and command injection
    Medium1745+28Expanded scope (13 vs 5 agents) uncovered more medium findings
    Low6106+100Memory safety agent identified 72 low-severity missing NULL checks; previous audit did not scan at this depth
    Info098+98New agents (telemetry, Windows, install) contributed informational findings
    Total48272+224Increase driven by 13 specialized agents vs 5 broad agents
    Key changes: The overall risk rating remains MEDIUM. The significant increase in total findings reflects the expanded scope (13 specialized agents vs 5 broad agents), not a degradation in code quality. Critical findings decreased from 11 to 3, indicating that previous broad-scope agents over-classified some findings. The codebase grew by ~5,400 lines with vendor library updates (mbedTLS).

    4. Supply Chain & Dependencies

    Risk: LOW

    The project has a minimal dependency footprint with zero external package-manager dependencies for the core C build.

    Vendored Libraries

    LibraryVersionLicenseLOCStatus
    Mbed TLS3.6.6Apache-2.0 / GPL-2.0+208,584✅ Current LTS — all known CVEs patched
    yyjson0.12.0MIT19,556✅ Current — no known CVEs
    stb_image2.30Public Domain7,988✅ Latest upstream — CVE-2023-43281 fixed

    NPM Dependencies (Optional Bridge Only)

    PackageVersionPurpose
    @whiskeysockets/baileys^7.0.0-rc.9WhatsApp Web API (bridge/)
    qrcode-terminal^0.12.0QR display (bridge/)

    System Dependencies

    Resolved at build time via system packages: libcurl, pthreads, X11 (optional), Python3 (build-time), Perl (build-time). No FetchContent, vcpkg, conan, or CPM usage.

    Findings

    #SeverityFinding
    S-1MediumDocker base image alpine:latest is unpinned — non-deterministic builds
    S-2MediumARM64 Dockerfile downloads curl-8.5.0 source without integrity verification
    S-3LowNo npm lockfile for bridge component
    S-4LowMSYS2 download script fetches tools without checksum verification

    5. Build System & Code Provenance

    Risk: LOW

    Security Hardening Flags

    FlagStatus
    -Wall -Wextra✅ All builds
    -fstack-protector-strong✅ All builds
    -D_FORTIFY_SOURCE=2✅ Release builds
    -fcf-protection✅ GCC (control-flow enforcement)
    -Wl,-z,relro,-z,now✅ Dynamic builds
    -Wl,-z,noexecstack✅ Dynamic builds
    -static✅ Default (static builds)
    Strip binaries✅ Release mode

    Findings

    #SeverityFinding
    B-1MediumRELRO/noexecstack not applied to static builds (inherent limitation)
    B-2MediumSX_GENERATE_MODELS=ON default can invoke network-fetching Python script (mitigated by MODELS_FROZEN=True)
    B-3LowMisconfigured git identity (sx@sx) in one commit
    B-4LowBridge Makefile lacks PIE flag
    B-5Lowgnuwin64 download script fetches from MSYS2 without checksum

    6. Network Endpoints

    Risk: MEDIUM

    The codebase contains 145+ hardcoded URLs, 30+ IP addresses, and 40+ unique domains. All production endpoints use HTTPS. Key categories:

    Production Infrastructure Endpoints

    DomainPurposeCount
    dist.scorpiox.netBinary/image distribution10
    code.scorpiox.netTelemetry endpoints (opt-in)2
    token.scorpiox.netToken relay service4
    whisper.scorpiox.netSpeech-to-text API1
    opus.scorpiox.netOpenAI-compatible proxy1
    git.scorpiox.netGit repositories1
    get.scorpiox.netInstall script1

    Third-Party API Endpoints

    ProviderEndpoint
    Anthropicapi.anthropic.com/v1/messages
    OpenAIapi.openai.com/v1/chat/completions
    Googlegenerativelanguage.googleapis.com
    VariousSearch engine APIs (DuckDuckGo, Brave, etc.)

    Findings

    #SeverityFinding
    N-1HighHardcoded infrastructure IPs with SSH access in embedded config
    N-2HighPlaintext HTTP token endpoint at embedded IP:port
    N-3HighTCP token relay at public IP exposed in source
    N-4–N-11MediumHardcoded API endpoints, embedded relay configurations, SMTP defaults
    N-12–N-23LowDefault ports, localhost bindings, search engine URLs

    7. TLS/SSL Security

    Risk: LOW

    The codebase has a well-designed centralized TLS configuration via sx_curl_set_tls(). Certificate verification is enabled by default, TLS 1.2 is the minimum protocol version, and mbedTLS is configured appropriately.

    Findings

    #SeverityFinding
    T-1MediumPlaintext HTTP relay capability (SX_HTTP_RELAY) forwards API traffic unencrypted when configured
    T-2LowConfigurable TLS verification bypass via SX_TLS_VERIFY=0 (default is secure)
    T-3LowOpportunistic STARTTLS with VERIFY_OPTIONAL for MX delivery
    T-4LowTLS verification falls back from REQUIRED to OPTIONAL when CA certs unavailable
    T-5LowMail relay uses VERIFY_OPTIONAL (documented as appropriate for SMTP)

    Positive Findings


    8. Hardcoded Credentials

    Risk: LOW No critical or high-severity hardcoded credentials found. All API key, password, secret, and token configuration fields use empty string defaults populated at runtime. The codebase follows a configuration-driven approach where secrets are loaded from files, environment variables, SSH, HTTP endpoints, or TCP sockets.

    Findings

    #SeverityFinding
    C-1LowHardcoded internal IP addresses in embedded config (reconnaissance data)
    C-2LowExample credential "mysecret" in documentation comment
    C-3InfoEmpty credential placeholders in embedded config (correct pattern)
    C-4InfoEmpty credential placeholders in env template (correct pattern)
    C-5InfoHardcoded public DNS resolver IPs (8.8.8.8, 1.1.1.1)

    9. File I/O & Data Handling

    Risk: MEDIUM

    Config files and logs use chmod 0600; session directories use 0700; mkstemp() is used for most temp files. However, several medium-severity issues exist.

    Findings

    #SeverityFinding
    F-1MediumPredictable temp file name in editor flow (sx-edit-.txt) — symlink attack risk
    F-2MediumPredictable temp file name on Windows POST body (sx_post__)
    F-3MediumFull API request/response bodies logged to disk indefinitely (0600 permissions)
    F-4LowTraffic logging captures full request/response including auth headers
    F-5LowConversation data stored unencrypted (session JSON files)
    F-6LowMaildir email files created with default umask (not explicit 0600)
    F-7LowWhatsApp/iMessage inbox directories created with 0755
    F-8LowContainer device nodes created with 0666 permissions
    F-9InfoNo log rotation for API and session logs

    Positive Findings


    10. Buffer Safety

    Risk: LOW

    The codebase demonstrates excellent buffer safety discipline. Zero uses of sprintf, strcpy, strcat, gets, or scanf in project-owned code.

    Metrics

    FunctionCountSafety
    sprintf0✅ Not used
    strcpy0✅ Not used
    strcat0✅ Not used
    gets0✅ Not used
    scanf0✅ Not used
    snprintf2,232✅ Bounded
    strncpy603✅ Bounded
    strncat20✅ Bounded
    memcpy509✅ All checked
    Safe-to-unsafe ratio: ∞ (no unsafe function calls)

    Findings

    #SeverityFinding
    BF-1MediumUnclamped snprintf accumulation in scorpiox-sdk.c — stack overflow if args > 16KB
    BF-2MediumUnclamped snprintf accumulation in scorpiox-wsl.c — stack overflow if args > 4KB
    BF-3Lowstrncpy without explicit null-termination in scorpiox-wsl.c
    BF-4LowFixed-size buffers for path construction (4096 bytes) — theoretical truncation on extreme paths

    11. Memory Safety

    Risk: MEDIUM

    The codebase contains 525 dynamic allocation calls (291 malloc, 90 calloc, 110 realloc) across ~110 source files with ~1,395 free() calls. The project generally follows a safe realloc pattern. However, 93 allocation sites lack NULL-check validation.

    Findings

    #SeverityFinding
    MS-H1–H6High (6)Missing NULL checks in network provider code (sx_request.c, sx_http.c, sx_provider_codex.c, sx_frp.c, sx_api.c) — crash under memory pressure
    MS-M1MediumResource leaks in tb4_transport.c — struct and FD leaked on allocation failure
    MS-M2Medium14 missing NULL checks in terminal buffer allocations (sx_term.c)
    MS-M3–M15Medium (13)Additional resource/memory leaks on error paths across multiple files
    MS-L1–L72Low (72)Missing NULL checks on malloc/calloc in non-critical paths

    Positive Findings


    12. Command Injection

    Risk: HIGH

    The codebase contains ~80 system() calls, ~30 popen() calls, and ~50 exec*() calls. Many files demonstrate awareness of injection risks with is_safe_shell_arg() validation and explicit fork()+execvp() usage. However, several high-severity vectors remain.

    Findings

    #SeverityFinding
    CJ-1CriticaliMessage handler passes user message content to system() via AppleScript — remote message content reaches shell (macOS-only)
    CJ-2HighSCORPIOX_DOCS_PYTHON env var reaches system() unsanitized (Linux-only)
    CJ-3HighTUI ! shell escape passes input directly to system() (by design, local-only)
    CJ-4Highscorpiox-server Windows CGI path builds cmd.exe strings from HTTP parameters (sanitized but strip-not-reject)
    CJ-5HighFile paths from SQLite reach system() via cp commands in scorpiox-search.c
    CJ-6Mediumscorpiox-agent builds system() commands from argv (validated by is_safe_shell_arg())
    CJ-7Mediumscorpiox-init tool installation via system() with formatted commands
    CJ-8Mediumscorpiox-traffic uses system() for cleanup commands (Linux-only)
    CJ-9Mediumscorpiox-server OTP handler embeds HTTP params in Windows command (validated)
    CJ-10MediumSSH config values reach _popen() on Windows (validated against metacharacters)
    CJ-11Mediumscorpiox-tmux multiplexer uses system() for backend commands

    Positive Findings


    13. Privilege & Access Control

    Risk: MEDIUM

    No direct setuid()/setgid() calls in project source. However, several components require root or elevated privileges to function.

    Components Requiring Elevated Privileges

    ComponentRequirementPlatform
    scorpiox-unshare --privilegedReal root (skips user namespace)Linux
    scorpiox-vm/dev/kvm access (kvm group or root)Linux
    scorpiox-vm/dev/net/tun (CAP_NET_ADMIN)Linux
    scorpiox-thunderbolt4/dev/bpf* (sudo required)macOS
    scorpiox-dnsPort 53 binding (privileged port)Linux
    scorpiox-server-emailPorts 25/587/993 (privileged ports)Linux

    Findings

    #SeverityFinding
    P-1Critical--privileged container mode disables user namespace — real root, no isolation
    P-2Highscorpiox-unshare auto-writes /etc/subuid//etc/subgid when running as root
    P-3Highscorpiox-thunderbolt4 requires sudo for raw BPF access
    P-4High40+ system() calls across multiple files create shell injection surface
    P-5–P-12Medium (8)Privileged port bindings, GPU passthrough, network namespace bypass, daemon processes

    Positive Findings


    14. Windows Deployment Analysis

    Risk: LOW

    The Windows build is well-engineered with proper platform abstractions, safe process execution, and no hardcoded secrets.

    Windows Build Architecture

    AspectDetail
    CompilerMinGW GCC (WinLibs POSIX UCRT)
    LinkingFully static (-static, CURL_STATICLIB)
    System Libsws2_32, crypt32, advapi32, bcrypt, gdi32, user32
    DLLOptional libsx.dll for C# P/Invoke

    Windows-Specific Security Properties

    Findings (All Informational)

    #Finding
    W-1Network endpoints contact external APIs (all configurable, all HTTPS)
    W-2WinINet used for downloads (SHA256 verified)
    W-3WSL2 distro management via wsl.exe
    W-4CreateProcess for shell commands with temp .bat files
    W-5Winsock initialization (standard)
    W-6DLL exports 6 functions for P/Invoke
    W-7Static linking with vendored libraries
    W-8GNU tools distribution via scorpiox-busybox
    W-9Standard Windows file paths
    W-10Self-update mechanism (SHA256 verified)

    15. Telemetry and Tracking

    Risk: LOW All telemetry is disabled by default. No network calls related to tracking occur unless explicitly opted in via configuration.

    Default Configuration

    Config KeyDefaultEffect
    USAGE_TRACKING0 (disabled)Token usage reporting
    EMIT_SESSION_TRACKING0 (disabled)Full conversation reporting
    WA_BRIDGE_AUTO_UPDATEon-demandOnly when WhatsApp feature is used

    Data Collection (When Opted In)

    FeatureData CollectedPrivacy Impact
    Usage TrackingSession ID, provider, model, token counts, hostname, username, OSMedium — machine fingerprint
    Session TrackingFull conversation content (prompts, responses, tool output)High — complete conversation data

    Findings

    #SeverityFinding
    TL-1LowStale comment says USAGE_TRACKING default is 1 but compiled default is 0
    TL-2InfoSession telemetry sends full conversation content when enabled
    TL-3InfoUsage tracking collects hostname/username when enabled

    Corporate Deployment Recommendation

    No configuration changes needed for zero tracking — the defaults already disable all telemetry. For additional hardening:


    16. Install Script & Distribution Security

    Risk: HIGH

    This is the highest-risk area of the audit. The distribution pipeline has significant gaps in integrity verification and code signing.

    Findings

    #SeverityFinding
    IS-1CriticalInstall URL missing https:// scheme — potential plaintext HTTP download piped to bash
    IS-2HighNo code signing on any distributed binary (GPG, cosign, Authenticode all absent)
    IS-3HighSHA256 checksums co-located with binaries on same server — compromised server defeats verification
    IS-4HighContainer image downloads have zero integrity verification
    IS-5HighContainer bootstrap curl \tar with no hash verification
    IS-6MediumBridge SHA256 bypass: invalid .sha256 format allows unverified install
    IS-7MediumFirmware download (SeaBIOS) has no integrity verification
    IS-8Mediumcurl \bash install pattern — inherently risky
    IS-9MediumNo reproducible builds — no SOURCE_DATE_EPOCH, unpinned Docker images
    IS-10LowDistribution via SMB to NAS — network-level trust for upload integrity
    IS-11LowWSL self-update dead code (defined but never called)
    IS-12LowmacOS codesign uses ad-hoc signature (--sign -), not Developer ID

    17. Consolidated Risk Matrix

    #AreaFindingSeverityStatusRecommendation
    IS-1DistributionInstall URL missing https:// schemeCriticalOpenAdd https:// prefix to install URL in scorpiox-sdk.c:1228
    CJ-1Command InjectioniMessage user content reaches system() via AppleScriptCriticalOpenSanitize message content before AppleScript interpolation (macOS-only)
    P-1Privilege--privileged container mode disables all isolationCriticalBy DesignDocument risk; restrict --privileged flag usage
    IS-2DistributionNo code signing on distributed binariesHighOpenImplement GPG signing for Linux, Authenticode for Windows
    IS-3DistributionSHA256 checksums co-located with binariesHighOpenHost checksums on separate infrastructure or use code signing
    IS-4DistributionContainer images downloaded without integrity checkHighOpenVerify SHA256 of container image tarballs before extraction
    IS-5DistributionContainer bootstrap curl \tar unverifiedHighOpenAdd hash verification to container bootstrap scripts
    CJ-2Command InjectionEnv var SCORPIOX_DOCS_PYTHON reaches system()HighOpenUse fork()+execvp() for dependency checks (Linux-only)
    CJ-3Command InjectionTUI ! shell escape — direct system()HighBy DesignDocument risk for automated/remote TUI scenarios
    CJ-4Command InjectionWindows CGI builds cmd.exe from HTTP paramsHighMitigatedSX_SANITIZE_CMD strips dangerous chars; consider reject-not-strip
    CJ-5Command InjectionSQLite file paths reach system()HighOpenUse fork()+execvp() for file copy operations
    MS-H1–6Memory SafetyMissing NULL checks in network codeHighOpenAdd NULL checks after allocation in sx_request.c, sx_http.c, etc.
    P-2PrivilegeAuto-writes to /etc/subuid//etc/subgidHighOpenRequire explicit user confirmation before modifying system files
    P-3PrivilegeBPF raw access requires sudoHighBy DesignDocument requirement (macOS-only)
    P-4Privilege40+ system() calls across codebaseHighOngoingMigrate to fork()+execvp() — several files already converted
    T-1TLSHTTP relay forwards API traffic unencryptedMediumBy DesignWarn user when HTTP relay is active
    BF-1BufferUnclamped snprintf accumulation (sdk)MediumOpenAdd if (cpos >= sizeof(buf)) break; clamping
    BF-2BufferUnclamped snprintf accumulation (wsl)MediumOpenAdd offset clamping after each snprintf
    F-1File I/OPredictable temp file in editor flowMediumOpenReplace with mkstemp()
    F-2File I/OPredictable temp file on Windows POSTMediumOpenUse GetTempFileNameA()
    F-3File I/OAPI bodies logged indefinitelyMediumOpenAdd log rotation with size limits
    IS-6DistributionBridge SHA256 bypass on invalid formatMediumOpenTreat invalid .sha256 format as failure
    IS-7DistributionFirmware download unverifiedMediumOpenPin SHA256 hash for BIOS firmware
    IS-8Distributioncurl \bash install patternMediumBy DesignProvide two-step download-then-verify alternative
    IS-9DistributionNo reproducible buildsMediumOpenPin Docker image digests, set SOURCE_DATE_EPOCH
    S-1Supply ChainUnpinned Docker base imageMediumOpenPin alpine to digest
    S-2Supply Chaincurl source download without checksumMediumOpenAdd SHA256 verification to Dockerfile
    B-1BuildNo noexecstack on static buildsMediumOpenAdd -z,noexecstack to static link flags
    B-2BuildNetwork-capable build-time code genMediumMitigatedMODELS_FROZEN=True gate — consider removing network option
    MS-M1–15Memory SafetyResource/memory leaks on error pathsMediumOpenFix cleanup in tb4_transport.c, sx_term.c, etc.
    CJ-6–11Command InjectionVarious system() with validated inputsMediumMitigatedContinue migration to execvp()
    N-1–3NetworkHardcoded IPs/endpoints in embedded configHighOpenMove to deployment-time configuration
    P-5–12PrivilegePrivileged ports, GPU passthrough, etc.MediumBy DesignDocument requirements; all Linux-only

    18. Conclusion & Recommendations

    Overall Assessment

    ScorpioX Code demonstrates strong security engineering fundamentals for a C-based project of this scale. The codebase achieves zero unsafe C function usage, comprehensive input validation on critical paths, secure defaults for TLS and telemetry, and a clean dependency profile with up-to-date vendored libraries. The code quality indicates an experienced development team with active security awareness.

    Risk Rating

    ScopeRatingRationale
    OverallMEDIUMInstall/distribution gaps and residual system() usage offset strong fundamentals
    Windows WorkstationLOWAll Windows-specific findings are informational; safe process APIs used throughout
    Linux ServerMEDIUM-HIGHContainer runtime, VM, and server components have broader attack surface

    Priority Recommendations

    Immediate (Critical/High):
  • Fix install URL — Add https:// prefix to get.scorpiox.net URL in scorpiox-sdk.c:1228
  • Implement code signing — Authenticode for Windows binaries, GPG for Linux
  • Add container image verification — SHA256 check before extraction in scorpiox-unshare.c
  • Add NULL checks — 6 high-severity missing checks in network provider code
  • Sanitize iMessage content — Escape shell metacharacters before AppleScript interpolation
  • Short-Term (Medium):
  • Migrate system() to execvp() — Prioritize scorpiox-docs.c, scorpiox-search.c, scorpiox-init.c
  • Fix predictable temp files — Replace fopen() with mkstemp() in sx.c:615 and Windows POST handler
  • Add log rotation — Size-limited rotation for api.log and session logs
  • Host checksums separately — Move .sha256 files to different infrastructure than binaries
  • Fix snprintf accumulation — Add clamping in scorpiox-sdk.c and scorpiox-wsl.c
  • Long-Term:
  • Reproducible builds — Pin Docker images by digest, set SOURCE_DATE_EPOCH
  • Memory safety sweep — Address remaining 72 low-severity NULL check gaps
  • npm lockfile — Add package-lock.json for bridge component
  • Firmware integrity — Pin SHA256 hashes for all downloaded firmware

  • 19. Appendix: Audit Methodology

    Agents Deployed

    #AgentScopeReport
    1supply-chainDependencies, vendored libs, build-time downloads01-supply-chain.md
    2build-provenanceCMake config, compiler flags, hardening02-build-provenance.md
    3network-endpointsURLs, IPs, ports, domains in source03-network-endpoints.md
    4tls-securityTLS config, certificate verification, protocol versions04-tls-security.md
    5credential-hardcodeAPI keys, passwords, tokens, secrets in source05-credential-hardcode.md
    6file-ioTemp files, permissions, data at rest, logging06-file-io.md
    7buffer-safetyBuffer overflow, unsafe functions, format strings07-buffer-safety.md
    8memory-safetymalloc/free, NULL checks, use-after-free, leaks08-memory-safety.md
    9command-injectionsystem(), popen(), exec*(), shell metacharacters09-command-injection.md
    10privilege-accesssetuid, root access, namespaces, daemon processes10-privilege-access.md
    11windows-deploymentWindows binaries, APIs, platform-specific risks11-windows-deployment.md
    12telemetry-trackingData collection, phone-home, opt-in/out behavior12-telemetry-tracking.md
    13install-scriptDistribution, install scripts, code signing, integrity13-install-script.md

    Methodology

    • Static analysis of all project-owned C source files (excluding vendor code unless explicitly noted)
    • Pattern matching for unsafe functions, hardcoded values, and known vulnerability patterns
    • Manual verification of all automated findings to eliminate false positives
    • Cross-referencing between agents to identify compound risk scenarios
    • Platform-specific analysis separating Windows, Linux, and macOS code paths
    • Configuration review of build system, deployment scripts, and default settings

    Scope Limitations