| Field | Value |
|---|---|
| Software | SCORPIOX CODE |
| Type | AI-Powered Development Tool / CLI Platform |
| Language | Pure C (zero external dependencies) |
| Audit Date | 2026-05-07 |
| Codebase Commit | c9d5a5e4758b2c5e7f5d22de4e54cd51e159253c |
| Classification | CONFIDENTIAL — For Corporate Review Only |
This report presents the findings of a comprehensive 13-agent automated security audit of SCORPIOX CODE, an AI-powered development tool and CLI platform written in pure C. The audit examined supply chain integrity, build provenance, network endpoints, TLS security, credential handling, file I/O, buffer safety, memory safety, command injection, privilege and access control, Windows deployment scope, telemetry, and install/distribution security.
Overall Risk Rating: LOWThe codebase demonstrates strong security engineering discipline across all domains. Out of 124 total findings, zero are critical severity, two are high (both in the install/distribution domain), 13 are medium, 32 are low, and 77 are informational (many of which are positive security controls). The safe-to-unsafe function ratio for buffer operations is an exceptional 3,493:1. All credential fields use empty-string defaults with runtime injection. All telemetry and tracking is disabled by default with no mandatory data collection. The primary area requiring attention is the install/distribution pipeline, which lacks cryptographic code signing and relies on a single distribution origin.
When scoped to Windows workstation deployment (the primary deployment target), findings reduce to 113 total (0 critical, 2 high, 12 medium, 27 low, 72 informational), as 11 findings relate exclusively to Linux-only binaries and container runtime features not present in the Windows distribution.
| Severity | Total Findings | Windows-Scoped |
|---|---|---|
| Critical | 0 | 0 |
| High | 2 | 2 |
| Medium | 13 | 12 |
| Low | 32 | 27 |
| Info | 77 | 72 |
| Total | 124 | 113 |
The following binaries are compiled and distributed for Windows:
| Binary | Purpose |
|---|---|
sx.exe | Main TUI client — primary AI coding assistant |
scorpiox.exe | Alias for sx.exe |
scorpiox-bash.exe | Cross-platform shell command executor |
scorpiox-busybox.exe | Minimal Unix utility collection for Windows |
scorpiox-screenshot.exe | Multi-monitor screenshot capture (Win32 GDI) |
scorpiox-vi.exe | Terminal text editor |
scorpiox-config.exe | TUI configuration editor |
scorpiox-websearch.exe | Web search engine interface |
scorpiox-fetch.exe | HTTP fetch utility |
scorpiox-renderimage.exe | Image renderer for terminal display |
scorpiox-pwsh.exe | Remote PowerShell via REST API |
scorpiox-wsl.exe | WSL2 launcher with self-update |
Additional Windows binaries (63 total): scorpiox-agent, scorpiox-askuserquestion, scorpiox-beam, scorpiox-bmp2png, scorpiox-claudecode-fetchtoken, scorpiox-claudecode-models, scorpiox-claudecode-refreshtoken, scorpiox-codex-fetchtoken, scorpiox-codex-models, scorpiox-codex-refreshtoken, scorpiox-conv, scorpiox-debug, scorpiox-dns, scorpiox-editfile, scorpiox-email, scorpiox-emit-session, scorpiox-frp, scorpiox-gemini-vertex, scorpiox-google-claude, scorpiox-google-fetchtoken, scorpiox-google-gemini, scorpiox-google-models, scorpiox-grep, scorpiox-hook, scorpiox-host, scorpiox-kql, scorpiox-logger, scorpiox-mcp, scorpiox-mirror-git, scorpiox-multiplexer, scorpiox-openai, scorpiox-otp, scorpiox-planmode, scorpiox-printlogs, scorpiox-pwshovertcp, scorpiox-readfile, scorpiox-rewind, scorpiox-sdk, scorpiox-search, scorpiox-server, scorpiox-server-email, scorpiox-server-fetchtoken, scorpiox-server-http2tcp, scorpiox-skills, scorpiox-systemprompt, scorpiox-tasks, scorpiox-tmux, scorpiox-transcript, scorpiox-usage, scorpiox-vault-git, scorpiox-vertex-models, scorpiox-voice.
The following binaries are not compiled on Windows and their findings do not apply to Windows deployments:
| Binary | Purpose | Why Linux-Only |
|---|---|---|
scorpiox-unshare | Rootless container runtime (user namespaces) | Linux kernel namespaces, seccomp, cgroups |
scorpiox-vm | KVM-based virtual machine runner | Linux KVM API |
scorpiox-init | Container initialization tool | Designed for Linux container entrypoint |
scorpiox-podman | Podman container orchestrator | Linux container ecosystem |
scorpiox-cron | Cron-like scheduler | Linux daemon pattern |
scorpiox-docs | Documentation server | Linux server deployment |
scorpiox-executecurl | Curl wrapper for containers | Linux container tooling |
scorpiox-runtest | Test runner | Linux CI infrastructure |
scorpiox-sshpass | SSH password automation | Linux SSH tooling |
scorpiox-traffic | Network traffic logger | Linux-specific networking |
scorpiox-whatsapp | WhatsApp bridge (Bun/TS runtime) | Bun runtime, Linux only |
| Binary | Purpose |
|---|---|
scorpiox-thunderbolt4 | Raw Ethernet frames via macOS BPF |
scorpiox-audiorecord | macOS Core Audio recording |
Of 124 total findings, 11 apply exclusively to Linux/macOS-only binaries, leaving 113 findings relevant to Windows deployment. The two HIGH findings (install script code signing) apply equally to all platforms including Windows.
fe4a27d | Folder output/2026-04-30_fe4a27d
| Metric | Previous (Apr 30) | Current (May 7) | Delta |
|---|---|---|---|
| Total Findings | 155 | 124 | −31 ▼ |
| Critical | 0 | 0 | — |
| High | 0 | 2 | +2 ▲ |
| Medium | 14 | 13 | −1 ▼ |
| Low | 44 | 32 | −12 ▼ |
| Info | 97 | 77 | −20 ▼ |
| Lines of Code (total) | 376,275 | 408,011 | +31,736 |
| Lines of Code (project) | 148,135 | 159,094 | +10,959 |
| Lines of Code (vendor) | 228,140 | 248,531 | +20,391 |
| Windows Findings (total) | 138 | 113 | −25 ▼ |
| Agents Used | 14 | 13 | −1 (wpf-launcher removed) |
wpf-launcher agent was removed from this audit cycle (14 → 13 agents)The project has a minimal, well-controlled supply chain. Three vendored C libraries are compiled from source with no pre-built binaries:
| Library | Version | License | Lines | Status |
|---|---|---|---|---|
| Mbed TLS | 3.6.6 | Apache-2.0 | 208,584 | ✅ Current (LTS) |
| yyjson | 0.12.0 | MIT | 19,556 | ✅ Current |
| stb (image/write/resize2) | 2.30/1.16/2.18 | Public Domain | 20,391 | ✅ Current |
FetchContent or ExternalProject in CMakesx_mbedtls_config.h) reduces attack surfaceThe build system uses CMake with C11 and demonstrates strong security hardening:
| Control | Status |
|---|---|
-fstack-protector-strong | ✅ Enabled |
-D_FORTIFY_SOURCE=2 | ✅ Enabled (Release) |
-fcf-protection (CFI) | ✅ Enabled (GCC) |
Full RELRO (-Wl,-z,relro,-z,now) | ✅ Enabled |
| Non-executable stack | ✅ Enabled |
| Binary stripping | ✅ All Release builds |
| Static linking | ✅ Default for Linux |
| ID | Severity | Finding |
|---|---|---|
| F-01 | LOW | PIE not explicitly enabled (relies on compiler defaults) |
| F-02 | LOW | Dockerfile.linux-arm64 base image not pinned by SHA256 digest |
| F-03 | MEDIUM | Ephemeral build containers lack build attestation metadata |
| F-04 | LOW | -Werror not enabled (warnings don't break build) |
| F-05–F-08 | INFO | Positive controls: single-author provenance, no secrets in build scripts, reproducible build structure, consistent compiler flags |
The codebase contains 50+ hardcoded network endpoints. All external API endpoints use HTTPS. The majority are intentional product features (AI provider integrations, distribution URLs, search engine connectors).
Findings:| ID | Severity | Finding | Recommendation |
|---|---|---|---|
| NET-01 | MEDIUM | Hardcoded public IP 20.53.240.54:9800 for TCP token relay (WASM config) — plain TCP, no TLS | Replace with DNS hostname; consider TLS wrapping |
| NET-02 | MEDIUM | Container registry TLS verification disabled by default (--tls-verify=false) | Set default to true; distribute registry CA certificate |
| NET-03 | LOW | HTTP relay (HTTP_RELAY=1) sends requests over plain TCP — disabled by default | Document security trade-off |
| NET-04 | LOW | DNS server binds to 0.0.0.0:53 — intentional server behavior | Configurable via DNS_LISTEN |
| NET-05 | LOW | Server components bind to 0.0.0.0 by design | Deploy behind firewall rules |
| NET-06 | LOW | scorpiox-beam uses plain TCP for LAN file transfer | Document LAN-only usage |
| NET-07 | INFO | All AI provider APIs use HTTPS with certificate verification | Positive control |
TLS posture is well-architected with a centralized sx_curl_set_tls() helper enforcing certificate verification by default.
| ID | Severity | Finding | Recommendation |
|---|---|---|---|
| TLS-01 | LOW | Static RSA key exchange enabled in Mbed TLS config (no forward secrecy) | Remove MBEDTLS_KEY_EXCHANGE_RSA_ENABLED to force ECDHE-only |
| TLS-02 | LOW | SX_TLS_VERIFY toggle allows disabling certificate verification (default: enabled, warning emitted) | Consider additional guard for production builds |
| TLS-03 | LOW | SMTP direct MX delivery uses VERIFY_OPTIONAL — standard practice | No action needed |
| TLS-04–TLS-11 | INFO | Positive controls: centralized TLS helper, CA bundle verification, Mbed TLS VERIFY_REQUIRED for relay, STARTTLS support, TLS 1.2 minimum, certificate hostname validation, configurable CA path, HSTS on distribution domains |
| ID | Severity | Finding |
|---|---|---|
| CRED-01 | LOW | Hardcoded infrastructure IP 20.53.240.54 in embedded config (not a credential — operational configuration) |
| CRED-02 | INFO | SHA-256 firmware integrity hash embedded in source — positive security control |
| CRED-03 | INFO | All credential placeholders are empty — proper secrets-from-environment pattern |
| CRED-04 | INFO | Config keys document credential fields without exposing values |
The codebase has strong file I/O hygiene: centralized sx_fopen() macro ensures FD_CLOEXEC, sx_mkdir() uses 0700 permissions, mkstemp() for temp files, and chmod 0600 for sensitive config.
| ID | Severity | Finding | Recommendation |
|---|---|---|---|
| FIO-03 | MEDIUM | API request/response bodies logged in full to api.log (data at rest — chmod 0600) | Add config toggle API_LOG_BODIES=0; document sensitive content |
| FIO-01 | LOW | WASM cmd_mktemp creates temp dirs with 0755 and uses raw fopen() (WASM sandbox context) | Change to 0700; use sx_fopen() |
| FIO-02 | LOW | scorpiox-editfile uses raw fopen() instead of sx_fopen() | Replace for consistency |
| FIO-04 | LOW | /dev/null opens lack O_CLOEXEC in fork paths (30+ occurrences) | Add O_CLOEXEC for consistency |
| FIO-05 | LOW | Windows _mktemp_s in agent askuser path is non-atomic | Use CreateFile with CREATE_NEW |
| FIO-06–FIO-12 | INFO | Positive controls: centralized sx_fopen(), sx_mkdir(0700), mkstemp(), API key header redaction, config chmod 0600, conversation files restricted, log rotation support |
Buffer safety discipline is exceptional:
| Metric | Value |
|---|---|
snprintf (safe) | 2,295 uses |
strncpy (safe) | 623 uses |
sprintf (unsafe) | 1 use (safe pattern — deterministic bounds) |
strcpy / strcat / gets | 0 uses |
| Safe-to-unsafe ratio | 3,493:1 |
| ID | Severity | Finding | Recommendation |
|---|---|---|---|
| BSF-02 | LOW | Uncapped calloc from network-controlled header_count (up to 512 KB per request) | Cap to min(header_count, SX_HTTP_MAX_HEADERS) |
| BSF-03 | LOW | Integer multiplication in calloc for screenshot buffers (int32_t int32_t) | Use (size_t)stride height |
| BSF-04 | LOW | Stack buffers ≥ 32 KB in 4 locations (stack overflow risk on constrained systems) | Consider heap allocation for large buffers |
| BSF-01 | INFO | Single sprintf use is safe (deterministic SHA-256 hex conversion) | Replace with snprintf for stylistic consistency |
| BSF-05–BSF-10 | INFO | Positive controls: consistent snprintf everywhere, memcpy with explicit bounds, stack canaries via -fstack-protector-strong, FORTIFY_SOURCE=2 |
No use-after-free or double-free vulnerabilities were confirmed. The project uses sx_strdup() (abort-on-OOM wrapper) and consistent realloc patterns with temporary variables.
| ID | Severity | Finding | Recommendation |
|---|---|---|---|
| MEM-01 | MEDIUM | DKIM buffer not freed after successful SMTP delivery — per-email memory leak | Add free(dkim_buf) before return |
| MEM-02 | LOW | Missing NULL check on calloc in API history initialization — inconsistent error path | Remove premature return -1 at line 108 |
| MEM-03 | LOW | Memory leaks on error paths in 3 locations (allocated buffers not freed before early returns) | Add cleanup labels or goto cleanup patterns |
| MEM-04–MEM-10 | INFO | Positive controls: sx_strdup() abort-on-OOM, consistent realloc patterns, 686 allocation sites audited, NULL checks present on majority |
The codebase demonstrates strong command injection awareness with CJ-* tags in comments indicating prior remediation. Critical paths use fork()+execvp() with argv arrays or is_safe_shell_arg() validation.
| ID | Severity | Finding | Recommendation |
|---|---|---|---|
| CJ-01 | MEDIUM | INIT_TOOLS env var injected into shell command without sanitization (Linux-only scorpiox-init) | Validate with is_safe_shell_arg() or use fork()+execlp("which", ...) |
| CJ-02 | LOW | Windows system() with inadequate double-quote escaping in scorpiox-search.c | Use CreateProcessW() or escape cmd.exe metacharacters |
| CJ-03 | LOW | Unsanitized session name in sx_system_safe() fallback path (requires binary missing AND malicious name) | Remove fallback or validate with is_safe_shell_arg() |
| CJ-04 | LOW | Dependency name from trusted tool JSON output used in shell command | Validate names to [a-zA-Z0-9._-] |
| CJ-05–CJ-10 | INFO | Positive controls: scorpiox-agent validates all args before shell use, is_safe_shell_arg() used extensively, scorpiox-wsl.c uses CreateProcessA to prevent injection, web search uses fork()+execvp() on Unix |
scorpiox-unshare) runs trusted first-party agents on a private network — not untrusted workloads from the internet. Severity ratings reflect this deployment model.
Findings:
| ID | Severity | Finding | Recommendation |
|---|---|---|---|
| P-01 | LOW | Container port forwarding binds on 0.0.0.0 (Linux-only) | Default to 127.0.0.1; add opt-in flag for LAN access |
| P-02 | LOW | Seccomp filter blocks only 2 syscalls (personality, keyctl) — defense-in-depth suggestion (Linux-only) | Extend blocklist with kexec_load, ptrace, userfaultfd, etc. |
| P-03 | LOW | Only CAP_IPC_LOCK dropped from capability bounding set (Linux-only) | Drop additional capabilities for defense-in-depth |
| P-04 | INFO | --privileged mode is an intentional power-user feature — not a vulnerability | |
| P-05 | INFO | scorpiox-thunderbolt4 requires root for BPF — intentional design (macOS-only) | |
| P-06 | INFO | scorpiox-dns requires root for port 53 — provides non-root alternative via config | |
| P-07 | INFO | Root-as-root container skips CLONE_NEWUSER — correct decision matching Docker/Podman | |
| P-08 | INFO | PR_SET_NO_NEW_PRIVS applied before seccomp — positive control | |
| P-09 | INFO | Host loopback disabled in slirp4netns — positive isolation control | |
| P-10 | INFO | Process spawning uses fork+exec with explicit argv — no shell injection | |
| P-11 | INFO | No setuid/setgid binaries installed | |
| P-12 | INFO | User namespaces provide rootless container isolation | |
| P-13 | INFO | UID/GID mapping is properly scoped | |
| P-14 | INFO | CLONE_NEWPID provides PID isolation inside containers |
The Windows build produces 63 executables using MinGW static linking with vendored libraries.
Findings:| ID | Severity | Finding | Recommendation |
|---|---|---|---|
| W-01 | MEDIUM | scorpiox-pwshovertcp binds to 0.0.0.0 with remote command execution (API key required) | Document high-entropy key requirement; add rate limiting |
| W-02 | MEDIUM | scorpiox-server binds to 0.0.0.0 executing Python scripts (JWT auth available) | Ensure JWT enabled for network-accessible deployments |
| W-03 | MEDIUM | scorpiox-server-email binds on privileged ports (25, 587, 993) — no admin required on Windows | Deploy behind Windows Firewall rules |
| W-04 | LOW | scorpiox-beam transfers files without encryption (LAN-only design) | Document trusted-network requirement |
| W-05 | LOW | scorpiox-dns binds to 0.0.0.0:53 | Use DNS_LISTEN to restrict interfaces |
| W-06 | INFO | CreateProcessA usage is consistent and safe — no system() on Windows | |
| W-07 | INFO | Windows version resources attached to all binaries | |
| W-08 | INFO | Static linking eliminates DLL hijacking risk for vendored libraries | |
| W-09 | INFO | scorpiox-host and scorpiox-sdk bind to 127.0.0.1 only — positive control | |
| W-10 | INFO | Token source configuration is intentional and documented | |
| W-11 | INFO | WSL2 image download uses HTTPS | |
| W-12 | INFO | scorpiox-wsl self-update uses SHA256 verification with rollback on failure |
| Control | Status |
|---|---|
CreateProcessA (no system()) | ✅ |
| Static linking (no DLL hijacking) | ✅ |
Stack protector (-fstack-protector-strong) | ✅ |
FORTIFY_SOURCE=2 | ✅ |
| Binary stripping | ✅ |
| Version resources | ✅ |
| Feature | Config Key | Default | Status |
|---|---|---|---|
| Usage tracking | USAGE_TRACKING | 0 (disabled) | Opt-in only |
| Session telemetry | EMIT_SESSION_TRACKING | 0 (disabled) | Opt-in only |
| HTTP Relay | HTTP_RELAY | 0 (disabled) | Opt-in only |
| Auto-update | UPDATE_URL | "" (empty) | WSL launcher only |
USAGE_TRACKING=0
EMIT_SESSION_TRACKING=0
EMIT_SESSION_API_URL=
USAGE_API_URL=
UPDATE_URL=
HTTP_RELAY=0
Findings:
| ID | Severity | Finding |
|---|---|---|
| TEL-01 | INFO | Stale documentation in scorpiox-usage.c header says default is 1 — actual default is 0 |
| TEL-02 | INFO | Machine fingerprint collection when opt-in enabled — intentional, documented |
| TEL-03 | INFO | Full conversation content transmitted when session telemetry enabled — opt-in only |
This is the highest-risk area of the audit. The install/distribution system uses curl|bash (Linux/macOS) and iwr|iex (Windows) patterns.
| ID | Severity | Finding | Recommendation |
|---|---|---|---|
| INST-01 | HIGH | No cryptographic code signing — SHA256 sidecar and binary served from same origin | Implement GPG/cosign/minisign signatures with offline-stored private key |
| INST-02 | HIGH | Single NAS is single point of compromise for supply chain | Multi-party signing; separate signing from distribution infrastructure |
| INST-03 | MEDIUM | --no-verify flag on Linux/macOS allows skipping SHA256 verification | Remove or gate behind SCORPIOX_INSECURE=1 |
| INST-04 | MEDIUM | Linux: silent SHA256 bypass when sha256sum binary not available | Abort install if no hash tool; check openssl dgst as fallback |
| INST-05 | MEDIUM | Non-atomic install — tar -xzf directly into /usr/local/bin | Extract to temp dir, verify, then mv into place |
| INST-06 | MEDIUM | index.txt single-file branch pointer controls global distribution | Sign index.txt; add version metadata |
| INST-07 | LOW | Windows updater uses -ExecutionPolicy Bypass | Expected for self-managed tooling |
| INST-08 | LOW | No version pinning or rollback in install/update scripts | Add --version flag; keep previous version for rollback |
| INST-09 | LOW | chmod +x applied via glob scorpiox* — overly broad | Use explicit file list |
| INST-10–17 | INFO | Positive controls: HTTPS enforced, HSTS headers, Windows installer has no --no-verify, WSL self-update fails closed, rollback on failure, no auto-update persistence, set -e in bash scripts, legacy migration path |
| # | Area | Finding | Severity | Status | Recommendation |
|---|---|---|---|---|---|
| 1 | Install/Distribution | No cryptographic code signing | HIGH | Open | Implement cosign/minisign with offline key |
| 2 | Install/Distribution | Single NAS as distribution SPOF | HIGH | Open | Multi-party signing; separate infrastructure |
| 3 | Network | Hardcoded IP for TCP token relay (WASM) | MEDIUM | Open | Replace with DNS hostname; add TLS |
| 4 | Network | Container registry TLS verify disabled by default | MEDIUM | Open | Default to true; distribute CA cert |
| 5 | Build | No build attestation metadata | MEDIUM | Open | Add SLSA provenance to release pipeline |
| 6 | File I/O | API bodies logged to api.log unconditionally | MEDIUM | Open | Add API_LOG_BODIES config toggle |
| 7 | Memory | DKIM buffer leak on successful email delivery | MEDIUM | Open | Add free(dkim_buf) before return |
| 8 | Command Injection | INIT_TOOLS env var unsanitized (Linux-only) | MEDIUM | Open | Validate with is_safe_shell_arg() |
| 9 | Windows | scorpiox-pwshovertcp on 0.0.0.0 with exec | MEDIUM | Open | Add rate limiting; document key requirements |
| 10 | Windows | scorpiox-server on 0.0.0.0 with script exec | MEDIUM | Open | Ensure JWT enabled in network deployments |
| 11 | Windows | Email server on privileged ports without admin | MEDIUM | Open | Deploy behind Windows Firewall |
| 12 | Install | --no-verify flag allows SHA256 skip | MEDIUM | Open | Gate behind explicit env var |
| 13 | Install | Silent SHA256 bypass when tool missing | MEDIUM | Open | Abort install if no hash tool |
| 14 | Install | Non-atomic installation | MEDIUM | Open | Stage to temp dir then move |
| 15 | Install | index.txt controls global distribution | MEDIUM | Open | Sign index file |
| 16 | TLS | Static RSA key exchange (no PFS) | LOW | Open | Remove MBEDTLS_KEY_EXCHANGE_RSA_ENABLED |
| 17 | TLS | Configurable TLS verification bypass | LOW | Open | Add additional guard for production |
| 18 | TLS | SMTP MX delivery uses VERIFY_OPTIONAL | LOW | Accepted | Standard SMTP practice |
| 19 | Credentials | Hardcoded infrastructure IP | LOW | Open | Use DNS hostname |
| 20 | File I/O | WASM temp dirs created with 0755 | LOW | Open | Change to 0700 |
| 21 | File I/O | scorpiox-editfile uses raw fopen() | LOW | Open | Use sx_fopen() |
| 22 | File I/O | /dev/null opens lack O_CLOEXEC | LOW | Open | Add O_CLOEXEC |
| 23 | File I/O | Windows _mktemp_s non-atomic | LOW | Open | Use CreateFile with CREATE_NEW |
| 24 | Buffer | Uncapped calloc from network header_count | LOW | Open | Cap to SX_HTTP_MAX_HEADERS |
| 25 | Buffer | Integer multiplication overflow in screenshot | LOW | Open | Cast to size_t |
| 26 | Buffer | Large stack buffers (≥32 KB) | LOW | Open | Consider heap allocation |
| 27 | Memory | Missing NULL check in API history init | LOW | Open | Fix error path consistency |
| 28 | Memory | Memory leaks on error paths (3 locations) | LOW | Open | Add cleanup patterns |
| 29 | Command Injection | Windows system() quote escaping | LOW | Open | Use CreateProcessW() |
| 30 | Command Injection | Session name in fallback path | LOW | Open | Validate or remove fallback |
| 31 | Command Injection | Dependency name from tool JSON | LOW | Open | Restrict to [a-zA-Z0-9._-] |
| 32 | Privilege | Container port bind on 0.0.0.0 (Linux) | LOW | Open | Default to 127.0.0.1 |
| 33 | Privilege | Minimal seccomp blocklist (Linux) | LOW | Open | Extend blocklist |
| 34 | Privilege | Minimal capability dropping (Linux) | LOW | Open | Drop additional capabilities |
| 35 | Windows | scorpiox-beam unencrypted LAN transfer | LOW | Open | Document trusted-network only |
| 36 | Windows | DNS server on 0.0.0.0 | LOW | Open | Use DNS_LISTEN to restrict |
| 37 | Build | PIE not explicitly enabled | LOW | Open | Set CMAKE_POSITION_INDEPENDENT_CODE ON |
| 38 | Build | ARM64 Dockerfile image not pinned by digest | LOW | Open | Pin by @sha256:... |
| 39 | Build | -Werror not enabled | LOW | Open | Enable for CI builds |
| 40 | Install | -ExecutionPolicy Bypass in updater | LOW | Accepted | Expected for self-managed tooling |
| 41 | Install | No version pinning or rollback | LOW | Open | Add --version flag |
| 42 | Install | Overly broad chmod +x glob | LOW | Open | Use explicit file list |
SCORPIOX CODE demonstrates strong security engineering across its pure-C codebase. The overall risk rating is LOW for Windows workstation deployment.
Strengths:CreateProcessA on Windows (no system() calls)api.log may contain sensitive content.sxmail_smtp.c to prevent memory exhaustion on busy mail servers.For Windows workstation deployment, the following findings are recommended for risk acceptance:
INIT_TOOLS command injection (CJ-01) — Linux-only scorpiox-init--privileged mode — intentional power-user featureVERIFY_OPTIONAL — standard SMTP practice-ExecutionPolicy Bypass in updater — expected for self-managed tooling| # | Agent | Scope |
|---|---|---|
| 1 | supply-chain | Package managers, vendored libraries, pre-built binaries, Windows release contents |
| 2 | build-provenance | CMake build system, compiler flags, linker hardening, Dockerfiles, git history |
| 3 | network-endpoints | Hardcoded URLs, IPs, domains, ports in 234 first-party source files |
| 4 | tls-security | Certificate verification, protocol versions, cipher suites, plaintext protocols |
| 5 | credential-hardcode | Pattern-based grep for API keys, passwords, tokens, secrets, PEM keys |
| 6 | file-io | File operations, temp files, directory permissions, data at rest |
| 7 | buffer-safety | sprintf/strcpy/strcat/gets/scanf usage, stack buffer sizes, bounds checks |
| 8 | memory-safety | malloc/calloc/realloc NULL checks, use-after-free, double-free, memory leaks |
| 9 | command-injection | system(), popen(), exec*() call sites with unsanitized input |
| 10 | privilege-access | setuid/setgid, root requirements, sandboxing, namespace isolation, IPC |
| 11 | windows-deployment | Windows binary inventory, Win32 API usage, Windows-specific attack surface |
| 12 | telemetry-tracking | Data collection inventory, default configuration, opt-in/opt-out mechanisms |
| 13 | install-script | Installation scripts, update mechanism, distribution integrity, auto-update |
clang repository at commit c9d5a5e4758b2c5e7f5d22de4e54cd51e159253cThe audit was conducted with the understanding that:
--privileged mode is an intentional feature, not a vulnerability