📄 security-audit-report.md
⬇ Download Raw

Third-Party Software Security Review — SCORPIOX CODE

FieldValue
SoftwareSCORPIOX CODE
TypeAI-Powered Development Tool / CLI Platform
LanguagePure C (zero external dependencies)
Audit Date2026-04-29
Codebase Commitca3fe9b31756f623e212b011debc7c6d119388f3
ClassificationCONFIDENTIAL — For Corporate Review Only

1. Executive Summary

This report presents a comprehensive security audit of SCORPIOX CODE, an AI-powered development tool and CLI platform written in pure C with zero external runtime dependencies. The codebase spans 403,876 lines of code (173,858 first-party, 230,018 vendored) across approximately 149 non-vendor source files. Thirteen specialized audit agents analyzed the software across all major security domains.

Key Findings

SeverityCount
Critical0
High7
Medium28
Low37
Info135
Total207
Overall Risk Rating: LOW-MEDIUM

The software demonstrates mature security engineering practices across the majority of its codebase:

The 7 high-severity findings are concentrated in two areas:

  • Install script integrity (3 findings): Install scripts download archives without checksum verification, get.scorpiox.net accepts HTTP without redirect, and no code signing exists.
  • Command injection on Windows (2 findings): The HTTP server's Windows CGI path and git deploy handler use shell interpolation with incomplete sanitization.
  • Memory safety (1 finding): A fragile use-after-free contract in the provider vtable cleanup pattern.
  • Privilege isolation (1 finding): The --privileged container flag bypasses user namespace isolation.
  • For Windows workstation deployment (the primary corporate use case), the risk profile is LOW — the most concerning findings (install script integrity, Windows CGI injection) are either mitigable through network controls or limited to server-mode operation not typical of developer workstation use.


    2. Deployment Scope

    Windows Workstation (Primary Deployment Target)

    The following binaries compile and deploy on Windows:

    BinaryPurpose
    sx.exeMain AI-powered TUI — primary developer interface
    scorpiox.exeAlias/launcher for sx
    scorpiox-bash.exeShell command execution tool for AI agent
    scorpiox-busybox.exeUnix tool manager (MSYS2/BusyBox coreutils)
    scorpiox-screenshot.exeScreen capture via Win32 GDI
    scorpiox-vi.exeBuilt-in text editor
    scorpiox-config.exeConfiguration TUI editor
    scorpiox-websearch.exeWeb search tool
    scorpiox-fetch.exeURL content fetcher (headless browser)
    scorpiox-renderimage.exeImage rendering/display
    scorpiox-pwsh.exePowerShell execution wrapper
    scorpiox-wsl.exeWSL2 distribution manager (Windows-only)

    Additional Windows-compiled binaries (43 total): scorpiox-agent, scorpiox-askuserquestion, scorpiox-beam, scorpiox-claudecode-fetchtoken, scorpiox-claudecode-models, scorpiox-claudecode-refreshtoken, scorpiox-codex-fetchtoken, scorpiox-codex-refreshtoken, scorpiox-conv, scorpiox-debug, scorpiox-dns, scorpiox-email, scorpiox-emit-session, scorpiox-frp, scorpiox-gemini, scorpiox-gemini-fetchtoken, scorpiox-hook, scorpiox-host, scorpiox-kql, scorpiox-logger, scorpiox-mcp, scorpiox-mirror-git, scorpiox-multiplexer, scorpiox-openai, scorpiox-otp, scorpiox-planmode, scorpiox-printlogs, scorpiox-rewind, scorpiox-sdk, scorpiox-search, scorpiox-server, scorpiox-server-email, scorpiox-server-fetchtoken, scorpiox-server-http2tcp, scorpiox-skills, scorpiox-systemprompt, scorpiox-tasks, scorpiox-tmux, scorpiox-transcript, scorpiox-usage, scorpiox-vault-git, scorpiox-voice.

    Linux-Only Binaries (Not Deployed on Windows)

    BinaryReason
    scorpiox-unshareLinux namespaces / container runtime (CLONE_NEWNS, pivot_root)
    scorpiox-vmKVM-based virtual machine (Linux ioctls)
    scorpiox-initContainer init process (PID 1 in namespaces)
    scorpiox-sshpassSSH password automation (Unix PTY)
    scorpiox-trafficNetwork traffic capture proxy (Unix-only)
    scorpiox-podmanPodman container integration
    scorpiox-cronCron-style scheduler
    scorpiox-docsDocumentation generator
    scorpiox-runtestTest runner
    scorpiox-executecurlCurl execution wrapper
    scorpiox-whatsappWhatsApp bridge (fork/pipe/select)
    scorpiox-thunderbolt4Thunderbolt 4 file transfer (raw BPF sockets)
    scorpiox-imessageiMessage integration (macOS/Linux)

    Windows-Filtered Findings

    When excluding findings that apply only to Linux-only components:

    SeverityAll PlatformsWindows-Relevant
    Critical00
    High76
    Medium2823
    Low3730
    Info135133
    Total207192

    The reduction is primarily from Linux-specific findings in privilege management (container --privileged flag, thunderbolt4 root requirement, KVM access), file I/O (O_CLOEXEC, PID file TOCTOU), and command injection (Linux-only tool paths).


    3. Changes Since Last Audit

    FieldPrevious AuditCurrent AuditDelta
    Audit Folderoutput/2026-04-29_3ad7dfcoutput/2026-04-29_ca3fe9b
    Commit3ad7dfcca3fe9b+21,111 LOC project code
    Lines of Code (Total)381,273403,876+22,603
    Lines of Code (Project)152,747173,858+21,111
    Lines of Code (Vendor)228,526230,018+1,492

    Findings Delta by Severity

    SeverityPreviousCurrentChange
    Critical20−2
    High187−11
    Medium10028−72
    Low6037−23
    Info87135+48
    Total286207−79

    Windows Findings Delta

    SeverityPreviousCurrentChange
    Critical10−1
    High56+1
    Medium4223−19
    Low2830+2
    Total (excl info)7659−17
    Summary: Significant improvement across all actionable severity levels. Critical findings dropped from 2 to 0, high findings reduced by 61%, and medium findings reduced by 72%. The increase in informational findings reflects more thorough enumeration of network endpoints and positive security controls (not security defects). The codebase grew by 21,111 lines of project code with a net decrease in vulnerability count — indicating improved code quality practices.

    4. Supply Chain & Dependencies

    Agent Risk Rating: LOW

    The project has a minimal and well-controlled supply chain:

    ComponentTypeVersionLicense
    Mbed TLSVendored C library3.6.6 (LTS)Apache-2.0 / GPL-2.0+
    yyjsonVendored C library (single-file)0.12.0MIT
    MSYS2 GNU toolsDownload script (Windows dev)VariousGPL
    Bun/npmBridge component onlylockfile-pinnedVarious
    Key Positives: Findings:
    IDSeverityFinding
    M1Mediumgnuwin64/download.ps1 downloads MSYS2 packages without SHA256 checksum verification
    M2MediumDockerfile.linux-arm64 uses ubuntu:22.04 without digest pin
    L1Lowrelease_whatsapp.ps1 installs Bun via curl\bash without verification
    L2Lowpip3 install requests without version pinning in ARM64 Dockerfile

    5. Build System & Code Provenance

    Agent Risk Rating: LOW

    The project uses a two-tier CMake build system (C11) with comprehensive security hardening:

    Security FlagStatus
    -Wall -Wextra✅ Full warnings
    -fstack-protector-strong✅ Stack canaries
    -D_FORTIFY_SOURCE=2✅ Release mode
    -fcf-protection✅ GCC control-flow enforcement
    -Wl,-z,noexecstack✅ Non-executable stack
    -Wl,-z,relro,-z,now✅ Full RELRO
    -fPIE / -pie❌ Incompatible with static linking (expected)

    Build provenance is maintained via build-info.json files with commit hash, branch, date, and platform. Model header code generation (generate_models) is frozen by default (MODELS_FROZEN = True) and disabled in release builds.

    Findings:
    IDSeverityFinding
    M1MediumBun runtime downloaded via curl\bash at build-time in WhatsApp release script
    L1LowBridge Makefile missing linker hardening flags (RELRO, noexecstack)
    L2LowNo reproducible build infrastructure (SOURCE_DATE_EPOCH not set)

    6. Network Endpoints

    Agent Risk Rating: LOW

    A total of 364 URL references were found (218 in vendored code, 146+ in project code). All external endpoints serve legitimate purposes:

    CategoryCountExamples
    First-party infrastructure19dist.scorpiox.net, token.scorpiox.net, code.scorpiox.net
    AI provider APIs15+Anthropic, OpenAI, Google Gemini, Codex endpoints
    Search engines5+Google, Bing, DuckDuckGo, Brave, Kagi
    Public DNS41.1.1.1, 8.8.8.8, 9.9.9.9, 208.67.222.222
    Localhost bindings5+127.0.0.1 (properly scoped)
    Findings:
    IDSeverityFinding
    M1MediumDNS server defaults to 0.0.0.0 binding (standard but broad)
    L1LowSome endpoints configurable via env vars without validation
    L2LowWhatsApp bridge connects to Meta infrastructure (expected)

    7. TLS/SSL Security

    Agent Risk Rating: MEDIUM

    The codebase has a centralized TLS configuration (sx_tls.h) that ensures consistent certificate verification across all 9 curl callsites. Defaults are strong with verification enabled.

    Findings:
    IDSeverityFinding
    FINDING-01MediumTLS verification globally disableable via single SX_TLS_VERIFY config flag — affects all 9 curl callsites
    FINDING-04MediumMissing mbedtls_ssl_conf_min_tls_version in 2 of 3 mbedTLS contexts (sxmail_queue.c, sx_frp.c)
    FINDING-03LowOpportunistic TLS with VERIFY_OPTIONAL for MX mail delivery (industry standard per RFC 3207)
    FINDING-06LowNon-PFS cipher suite (RSA key exchange) enabled alongside PFS suites
    FINDING-08LowHTTP credential injection over plaintext localhost IPC
    Positive Controls:

    8. Hardcoded Credentials

    Agent Risk Rating: LOW No actual secrets, API keys, or passwords are hardcoded in the codebase. All credential configuration fields use empty-string placeholders, deferring injection to runtime. Findings:
    IDSeverityFinding
    MEDIUM-01MediumDefault SSH username "root" hardcoded in embedded config (CLAUDE_CODE_SSH_USER)
    MEDIUM-02MediumHardcoded private IP addresses (192.168.1.3, 192.168.1.6) in environment template
    MEDIUM-03MediumHardcoded internal IP root@192.168.1.3 in release orchestration scripts
    LOW-01Low15+ hardcoded internal service URLs compiled into binaries
    LOW-02LowNon-standard SSH port 22223 reveals infrastructure detail

    9. File I/O & Data Handling

    Agent Risk Rating: LOW-MEDIUM

    File I/O practices are generally strong:

    Findings:
    IDSeverityFinding
    FIO-01MediumMissing O_CLOEXEC on ~48 open() calls — FDs may leak to child processes
    FIO-02MediumPID file TOCTOU race condition (mitigated by socket bind)
    FIO-03MediumGemini API key passed in URL query parameters — risk of exposure via intermediaries
    FIO-04LowContainer device mount targets created 0666
    FIO-05LowSMTP relay password not zeroed from memory after use
    FIO-06LowRelease scripts pass passwords via command-line arguments
    FIO-07LowDNS audit log and hook log files world-readable (0644)

    10. Buffer Safety

    Agent Risk Rating: LOW

    Buffer safety discipline is exceptional across the codebase:

    MetricValue
    snprintf usage2,252 calls
    strncpy usage601 calls
    Unsafe sprintf (real)1 (provably safe — bounded hex conversion)
    Unsafe strcpy / strcat / gets0
    Format string vulnerabilities0
    Unbounded scanf0
    Safety ratio>99.95%
    Findings:
    IDSeverityFinding
    MEDIUM-01Mediumsnprintf return value accumulation without clamping in IMAP FETCH response builder — potential OOB write on truncation
    MEDIUM-02MediumSame pattern in RFC822 email message builder (scorpiox-email.c) — heap buffer overflow writing CRLF terminator
    MEDIUM-03MediumSame pattern in IMAP SEARCH response builder
    LOW-01Low234 large stack buffers (≥4096 bytes) — stack exhaustion risk on deep recursion
    LOW-02LowInteger multiplication in malloc without overflow check
    LOW-03Lowstrncpy null-termination reliance patterns
    LOW-04LowStatic 64KB buffers in WASM HTTP module

    11. Memory Safety

    Agent Risk Rating: LOW

    Memory management is well-disciplined:

    MetricValue
    Total allocation sites~454
    Sites with NULL check~419 (92%+)
    Unsafe realloc patterns0
    Confirmed double-free0
    strdup calls (via sx_strdup)402 (all abort-on-OOM)
    Findings:
    IDSeverityFinding
    FINDING-01HighUse-after-free risk in sx_provider_free() — vtable free() call followed by p->data = NULL write. Currently safe (all existing providers only free sub-resources), but fragile undocumented contract that breaks if any future provider frees p itself
    FINDING-02MediumMissing NULL checks in scorpiox-thunderbolt4.c buffer allocations — memory leak on OOM in error path
    FINDING-04LowMissing NULL check on sx_term.c capture buffer
    FINDING-05–07LowRedundant dead-code NULL check patterns (cosmetic)

    12. Command Injection

    Agent Risk Rating: MEDIUM

    Most code paths use fork()+execvp() (argv-based, no shell) — the safe approach. Where system()/popen() is used, input validation is generally present (is_safe_shell_arg(), SX_SANITIZE_CMD, character whitelisting, single-quote escaping).

    Findings:
    IDSeverityCVSSFinding
    CJ-01High8.1Windows HTTP server CGI path builds cmd /C with HTTP request fields via SX_SANITIZE_CMD — strips rather than rejects dangerous chars; does not filter \t, \0, @
    CJ-09High7.5Git deploy handler in HTTP server single-quote-wraps paths but does not escape embedded single quotes
    CJ-02Medium6.3Image file paths interpolated into ffmpeg/convert/ffprobe shell commands — filenames with metacharacters could escape double-quoting
    CJ-03Medium5.3sx_tool_exists() passes unsanitized tool name to which via popen()
    CJ-05Medium5.9Windows agent tool-wait path uses system() with incomplete is_safe_shell_arg() validation
    CJ-06Medium5.6Windows SSH command in scorpiox-tmux.c uses system() with unsanitized hostname
    CJ-08Medium5.4Windows sx_rmrf() uses system("rd /s /q ...") with path interpolation

    13. Privilege & Access Control

    Agent Risk Rating: MEDIUM

    No setuid/setgid bits are set on any binary. The container runtime (scorpiox-unshare) implements comprehensive Linux namespace isolation with pivot_root.

    Findings:
    IDSeverityFinding
    H-1High--privileged flag bypasses user namespace isolation in scorpiox-unshare (Linux-only, requires root)
    M-1Mediumscorpiox-thunderbolt4 requires unconditional root — could use CAP_NET_RAW instead
    M-2MediumDNS server does not drop privileges after binding to port 53
    M-3Mediumsx_system_safe() passes commands through /bin/sh -c despite its name
    L-1LowChroot paths in unshare container built via string formatting
    L-2LowAgent metacharacter filtering for is_safe_shell_arg() is incomplete
    L-3LowKVM VM requires /dev/kvm group membership
    Positive Controls:

    14. Windows Deployment Analysis

    Agent Risk Rating: LOW

    The Windows deployment surface is clean and well-structured:

    ObservationDetail
    Self-update integritySHA256 verified via .sha256 sidecar file (falls through if unavailable)
    Network surfaceServer binaries bind to configurable addresses; none require elevation
    Optional DLLlibsx.dll (C# P/Invoke) — standard export pattern, no elevated concerns

    15. Telemetry and Tracking

    Agent Risk Rating: LOW Verdict: No tracking by default.
    Config KeyDefaultMeaning
    USAGE_TRACKING"0" (off)Token usage reporting
    EMIT_SESSION_TRACKING"0" (off)Session event telemetry
    WA_BRIDGE_AUTO_UPDATE"on-demand"WhatsApp bridge updates
    For zero-tracking corporate deployment, no configuration changes are needed — defaults are already off. Findings:
    IDSeverityFinding
    TEL-01LowUsage tracking guard uses opt-out pattern (if value == "0") instead of opt-in (if value == "1") — NULL would bypass, mitigated by config always providing default "0"

    16. Install Script & Distribution Security

    Agent Risk Rating: MEDIUM

    The installation mechanism uses curl|bash / iwr|iex pattern. While internal components (scorpiox-wsl, libsxbridge) implement SHA256 verification, the user-facing install scripts do not.

    Findings:
    IDSeverityFinding
    F-01HighInstall scripts download archives without checksum verification — SHA256 sidecars exist but are not consumed
    F-02Highget.scorpiox.net serves install scripts over HTTP without redirect to HTTPS
    F-03HighNo code signing or GPG signature verification on downloaded binaries
    F-04MediumNon-atomic installation — interrupted downloads leave partial state
    F-05MediumEmbedded scorpiox-update mechanism has no checksum verification
    F-06MediumLinux installer writes to /usr/local/bin with sudo
    F-07MediumWindows updater .cmd wrapper bypasses PowerShell execution policy
    F-08LowNo HSTS header on dist.scorpiox.net
    F-09LowNo uninstall mechanism or documentation
    F-10LowmacOS installer modifies shell rc files without backup
    F-11LowBranch-based distribution allows index.txt hijack to redirect to arbitrary branch
    Positive Controls:

    17. Consolidated Risk Matrix

    #AreaFindingSeverityStatusRecommendation
    1Install ScriptArchives downloaded without checksum verificationHIGHOpenConsume existing .sha256 sidecar files in install scripts
    2Install Scriptget.scorpiox.net serves over HTTPHIGHOpenEnforce HTTPS redirect on install script server
    3Install ScriptNo code signing on binariesHIGHOpenImplement GPG or Sigstore signing for release artifacts
    4Command InjectionWindows CGI cmd /C with incomplete sanitizationHIGHPartialUse CreateProcess() with environment block instead of cmd /C
    5Command InjectionGit deploy handler missing single-quote escapingHIGHPartialUse fork()+execvp() with argv array
    6Memory SafetyUse-after-free risk in provider vtable cleanupHIGHLatentDocument invariant or restructure to set p->data = NULL before vtable->free()
    7Privilege Access--privileged bypasses namespace isolationHIGHBy DesignAdd explicit documentation and --yes-i-know confirmation
    8TLS SecurityGlobal TLS verification toggle affects all endpointsMediumMitigatedMake per-module or add persistent visual warning
    9TLS SecurityMissing minimum TLS version in 2 of 3 mbedTLS contextsMediumOpenAdd mbedtls_ssl_conf_min_tls_version(TLS1_2) to all contexts
    10Credential HardcodeDefault SSH user "root" in embedded configMediumOpenChange default to non-privileged service account
    11Credential HardcodeHardcoded private IPs in environment templateMediumOpenReplace with placeholder values
    12Credential HardcodeHardcoded internal IP in release scriptsMediumOpenUse configurable $BUILD_HOST variable
    13File I/OMissing O_CLOEXEC on ~48 file descriptorsMediumOpenAdd O_CLOEXEC to all open() calls
    14File I/OGemini API key in URL query parametersMediumOpenMove to request header or POST body
    15File I/OPID file TOCTOU race conditionMediumMitigatedSocket bind provides secondary protection
    16Buffer Safetysnprintf return value accumulation (3 sites)MediumOpenClamp rl after each snprintf to prevent unsigned underflow
    17Command InjectionImage path injection via ffmpeg/convert shell commandsMediumOpenUse fork()+execvp() with discrete argv arguments
    18Command Injectionsx_tool_exists() unsanitized tool name in popen()MediumOpenUse fork()+execvp() for which lookup
    19Command InjectionWindows agent tool-wait via system()MediumPartialMigrate to CreateProcess() with argv
    20Command InjectionWindows SSH command via system()MediumOpenUse CreateProcess() or _spawnvp()
    21Command InjectionWindows sx_rmrf() via system("rd /s /q")MediumOpenUse RemoveDirectoryW() Win32 API
    22Privilege AccessDNS server doesn't drop privileges after port 53 bindMediumOpenImplement setuid(nobody) after bind
    23Privilege Accesssx_system_safe() misleading name — uses /bin/sh -cMediumOpenRename or refactor to use execvp()
    24Privilege AccessThunderbolt4 requires full root (could use CAP_NET_RAW)MediumOpenSupport Linux capabilities as alternative
    25Install ScriptNon-atomic installationMediumOpenImplement staging directory + atomic rename
    26Install Scriptscorpiox-update lacks checksum verificationMediumOpenPort verify_sha256 from C code to update scripts
    27Install ScriptLinux installer uses sudo for /usr/local/binMediumOpenOffer user-local install option (~/.local/bin)
    28Install ScriptWindows .cmd wrapper bypasses execution policyMediumOpenDocument security implication; offer signed script alternative
    29Supply ChainMSYS2 downloads without integrity verificationMediumOpenAdd SHA256 checksum verification to download.ps1
    30Supply ChainUnpinned Docker base image (ubuntu:22.04)MediumOpenPin to specific SHA256 digest
    31Build ProvenanceBun runtime via curl\bash in release scriptMediumOpenPin Bun version and verify install script hash
    32Network EndpointsDNS server default 0.0.0.0 bindingMediumOpenDocument and/or default to 127.0.0.1
    33Memory SafetyThunderbolt4 buffer allocation leak on OOMMediumOpenFree all buffers individually in error path

    18. Conclusion & Recommendations

    Overall Assessment

    SCORPIOX CODE demonstrates a mature security posture for a large C codebase. The software exhibits:

    Priority Recommendations

    Immediate (High Priority):
  • Implement checksum verification in install scripts — the infrastructure already generates SHA256 sidecars; install scripts need to consume them
  • Enforce HTTPS on get.scorpiox.net — add HTTP→HTTPS redirect for the install script server
  • Migrate Windows cmd /C CGI path to CreateProcess() — eliminate shell interpolation for HTTP-received inputs
  • Document the provider vtable memory contract — add explicit comment that vtable->free() must not free the provider struct itself, or restructure the cleanup order
  • Short-Term (Medium Priority):
  • Add O_CLOEXEC to all open() calls across the codebase
  • Clamp snprintf return values in accumulation patterns (IMAP, email builders)
  • Migrate remaining popen()/system() calls on Windows to CreateProcess() with argv arrays
  • Add mbedtls_ssl_conf_min_tls_version() to all mbedTLS contexts
  • Replace hardcoded internal IPs with configurable variables
  • Implement code signing for release artifacts (Sigstore/GPG)
  • Long-Term (Hardening):
  • Implement atomic installation with staging directory
  • Add privilege dropping after binding privileged ports
  • Consider DANE/TLSA or MTA-STS for outbound mail TLS
  • Add per-module TLS verification controls instead of global toggle
  • Provide uninstall mechanism across all platforms
  • Windows Workstation Risk Rating

    For the primary deployment scenario of Windows developer workstations using the CLI tools (not running server components):

    Risk: LOW — The software is safe for Windows workstation deployment. The highest-risk findings (install script integrity, Windows CGI injection) are mitigated by:

    19. Appendix: Audit Methodology

    Audit Agents

    #AgentScope
    01supply-chainPackage managers, vendored libraries, pre-built binaries, Docker base images
    02build-provenanceCMake configuration, compiler flags, security hardening, linking, release scripts
    03network-endpointsHardcoded URLs, IP addresses, domain names, ports, binding behavior
    04tls-securityCertificate verification, TLS versions, cipher suites, plaintext protocols
    05credential-hardcodeAPI keys, passwords, tokens, secrets, infrastructure details in source
    06file-ioTemp files, directory permissions, data at rest, logging, path traversal
    07buffer-safetyString operations, snprintf/sprintf, format strings, scanf, stack buffers
    08memory-safetymalloc NULL checks, use-after-free, double-free, realloc patterns, leaks
    09command-injectionsystem(), popen(), exec*() calls, shell interpolation, input sanitization
    10privilege-accesssetuid/setgid, root requirements, namespace isolation, process spawning, IPC
    11windows-deploymentWindows binary compilation, Win32 API usage, network surface, self-update
    12telemetry-trackingData collection inventory, opt-in/opt-out behavior, startup network activity
    13install-scriptInstall scripts, update mechanism, distribution integrity, release pipeline

    Tools & Techniques

    Scope Exclusions


    Report generated by automated security audit pipeline — 13 agents, unified analysis Classification: CONFIDENTIAL — For Corporate Review Only