📄 security-audit-report.md
⬇ Download Raw

Third-Party Software Security Review — SCORPIOX CODE

FieldValue
SoftwareSCORPIOX CODE
TypeAI-Powered Development Tool / CLI Platform
LanguagePure C (zero external dependencies)
Audit Date2026-05-07
Codebase Commitc9d5a5e4758b2c5e7f5d22de4e54cd51e159253c
ClassificationCONFIDENTIAL — For Corporate Review Only

1. Executive Summary

This report presents the findings of a comprehensive 13-agent automated security audit of SCORPIOX CODE, an AI-powered development tool and CLI platform written in pure C. The audit examined supply chain integrity, build provenance, network endpoints, TLS security, credential handling, file I/O, buffer safety, memory safety, command injection, privilege and access control, Windows deployment scope, telemetry, and install/distribution security.

Overall Risk Rating: LOW

The codebase demonstrates strong security engineering discipline across all domains. Out of 124 total findings, zero are critical severity, two are high (both in the install/distribution domain), 13 are medium, 32 are low, and 77 are informational (many of which are positive security controls). The safe-to-unsafe function ratio for buffer operations is an exceptional 3,493:1. All credential fields use empty-string defaults with runtime injection. All telemetry and tracking is disabled by default with no mandatory data collection. The primary area requiring attention is the install/distribution pipeline, which lacks cryptographic code signing and relies on a single distribution origin.

When scoped to Windows workstation deployment (the primary deployment target), findings reduce to 113 total (0 critical, 2 high, 12 medium, 27 low, 72 informational), as 11 findings relate exclusively to Linux-only binaries and container runtime features not present in the Windows distribution.

SeverityTotal FindingsWindows-Scoped
Critical00
High22
Medium1312
Low3227
Info7772
Total124113

2. Deployment Scope

2.1 Windows Workstation (Primary Deployment Target)

The following binaries are compiled and distributed for Windows:

BinaryPurpose
sx.exeMain TUI client — primary AI coding assistant
scorpiox.exeAlias for sx.exe
scorpiox-bash.exeCross-platform shell command executor
scorpiox-busybox.exeMinimal Unix utility collection for Windows
scorpiox-screenshot.exeMulti-monitor screenshot capture (Win32 GDI)
scorpiox-vi.exeTerminal text editor
scorpiox-config.exeTUI configuration editor
scorpiox-websearch.exeWeb search engine interface
scorpiox-fetch.exeHTTP fetch utility
scorpiox-renderimage.exeImage renderer for terminal display
scorpiox-pwsh.exeRemote PowerShell via REST API
scorpiox-wsl.exeWSL2 launcher with self-update

Additional Windows binaries (63 total): scorpiox-agent, scorpiox-askuserquestion, scorpiox-beam, scorpiox-bmp2png, scorpiox-claudecode-fetchtoken, scorpiox-claudecode-models, scorpiox-claudecode-refreshtoken, scorpiox-codex-fetchtoken, scorpiox-codex-models, scorpiox-codex-refreshtoken, scorpiox-conv, scorpiox-debug, scorpiox-dns, scorpiox-editfile, scorpiox-email, scorpiox-emit-session, scorpiox-frp, scorpiox-gemini-vertex, scorpiox-google-claude, scorpiox-google-fetchtoken, scorpiox-google-gemini, scorpiox-google-models, scorpiox-grep, scorpiox-hook, scorpiox-host, scorpiox-kql, scorpiox-logger, scorpiox-mcp, scorpiox-mirror-git, scorpiox-multiplexer, scorpiox-openai, scorpiox-otp, scorpiox-planmode, scorpiox-printlogs, scorpiox-pwshovertcp, scorpiox-readfile, scorpiox-rewind, scorpiox-sdk, scorpiox-search, scorpiox-server, scorpiox-server-email, scorpiox-server-fetchtoken, scorpiox-server-http2tcp, scorpiox-skills, scorpiox-systemprompt, scorpiox-tasks, scorpiox-tmux, scorpiox-transcript, scorpiox-usage, scorpiox-vault-git, scorpiox-vertex-models, scorpiox-voice.

2.2 Linux-Only Binaries (Not in Windows Distribution)

The following binaries are not compiled on Windows and their findings do not apply to Windows deployments:

BinaryPurposeWhy Linux-Only
scorpiox-unshareRootless container runtime (user namespaces)Linux kernel namespaces, seccomp, cgroups
scorpiox-vmKVM-based virtual machine runnerLinux KVM API
scorpiox-initContainer initialization toolDesigned for Linux container entrypoint
scorpiox-podmanPodman container orchestratorLinux container ecosystem
scorpiox-cronCron-like schedulerLinux daemon pattern
scorpiox-docsDocumentation serverLinux server deployment
scorpiox-executecurlCurl wrapper for containersLinux container tooling
scorpiox-runtestTest runnerLinux CI infrastructure
scorpiox-sshpassSSH password automationLinux SSH tooling
scorpiox-trafficNetwork traffic loggerLinux-specific networking
scorpiox-whatsappWhatsApp bridge (Bun/TS runtime)Bun runtime, Linux only

2.3 macOS-Only Binaries

BinaryPurpose
scorpiox-thunderbolt4Raw Ethernet frames via macOS BPF
scorpiox-audiorecordmacOS Core Audio recording

2.4 Windows-Filtered Findings

Of 124 total findings, 11 apply exclusively to Linux/macOS-only binaries, leaving 113 findings relevant to Windows deployment. The two HIGH findings (install script code signing) apply equally to all platforms including Windows.


3. Changes Since Last Audit

Previous Audit: 2026-04-30 | Commit fe4a27d | Folder output/2026-04-30_fe4a27d
MetricPrevious (Apr 30)Current (May 7)Delta
Total Findings155124−31
Critical00
High02+2
Medium1413−1
Low4432−12
Info9777−20
Lines of Code (total)376,275408,011+31,736
Lines of Code (project)148,135159,094+10,959
Lines of Code (vendor)228,140248,531+20,391
Windows Findings (total)138113−25
Agents Used1413−1 (wpf-launcher removed)
Key Changes:

4. Supply Chain & Dependencies

Agent: supply-chain | Risk: LOW | Findings: 0 Critical, 0 High, 0 Medium, 0 Low, 6 Info

The project has a minimal, well-controlled supply chain. Three vendored C libraries are compiled from source with no pre-built binaries:

LibraryVersionLicenseLinesStatus
Mbed TLS3.6.6Apache-2.0208,584✅ Current (LTS)
yyjson0.12.0MIT19,556✅ Current
stb (image/write/resize2)2.30/1.16/2.18Public Domain20,391✅ Current
Key Findings:

5. Build System & Code Provenance

Agent: build-provenance | Risk: LOW | Findings: 0 Critical, 0 High, 1 Medium, 3 Low, 4 Info

The build system uses CMake with C11 and demonstrates strong security hardening:

ControlStatus
-fstack-protector-strong✅ Enabled
-D_FORTIFY_SOURCE=2✅ Enabled (Release)
-fcf-protection (CFI)✅ Enabled (GCC)
Full RELRO (-Wl,-z,relro,-z,now)✅ Enabled
Non-executable stack✅ Enabled
Binary stripping✅ All Release builds
Static linking✅ Default for Linux
Findings:
IDSeverityFinding
F-01LOWPIE not explicitly enabled (relies on compiler defaults)
F-02LOWDockerfile.linux-arm64 base image not pinned by SHA256 digest
F-03MEDIUMEphemeral build containers lack build attestation metadata
F-04LOW-Werror not enabled (warnings don't break build)
F-05–F-08INFOPositive controls: single-author provenance, no secrets in build scripts, reproducible build structure, consistent compiler flags

6. Network Endpoints

Agent: network-endpoints | Risk: LOW | Findings: 0 Critical, 0 High, 2 Medium, 4 Low, 1 Info

The codebase contains 50+ hardcoded network endpoints. All external API endpoints use HTTPS. The majority are intentional product features (AI provider integrations, distribution URLs, search engine connectors).

Findings:
IDSeverityFindingRecommendation
NET-01MEDIUMHardcoded public IP 20.53.240.54:9800 for TCP token relay (WASM config) — plain TCP, no TLSReplace with DNS hostname; consider TLS wrapping
NET-02MEDIUMContainer registry TLS verification disabled by default (--tls-verify=false)Set default to true; distribute registry CA certificate
NET-03LOWHTTP relay (HTTP_RELAY=1) sends requests over plain TCP — disabled by defaultDocument security trade-off
NET-04LOWDNS server binds to 0.0.0.0:53 — intentional server behaviorConfigurable via DNS_LISTEN
NET-05LOWServer components bind to 0.0.0.0 by designDeploy behind firewall rules
NET-06LOWscorpiox-beam uses plain TCP for LAN file transferDocument LAN-only usage
NET-07INFOAll AI provider APIs use HTTPS with certificate verificationPositive control

7. TLS/SSL Security

Agent: tls-security | Risk: LOW | Findings: 0 Critical, 0 High, 0 Medium, 3 Low, 8 Info

TLS posture is well-architected with a centralized sx_curl_set_tls() helper enforcing certificate verification by default.

Findings:
IDSeverityFindingRecommendation
TLS-01LOWStatic RSA key exchange enabled in Mbed TLS config (no forward secrecy)Remove MBEDTLS_KEY_EXCHANGE_RSA_ENABLED to force ECDHE-only
TLS-02LOWSX_TLS_VERIFY toggle allows disabling certificate verification (default: enabled, warning emitted)Consider additional guard for production builds
TLS-03LOWSMTP direct MX delivery uses VERIFY_OPTIONAL — standard practiceNo action needed
TLS-04–TLS-11INFOPositive controls: centralized TLS helper, CA bundle verification, Mbed TLS VERIFY_REQUIRED for relay, STARTTLS support, TLS 1.2 minimum, certificate hostname validation, configurable CA path, HSTS on distribution domains

8. Hardcoded Credentials

Agent: credential-hardcode | Risk: LOW | Findings: 0 Critical, 0 High, 0 Medium, 1 Low, 3 Info No hardcoded credentials found. All 13 credential-type fields use empty-string placeholders with runtime injection via environment variables or config files.
IDSeverityFinding
CRED-01LOWHardcoded infrastructure IP 20.53.240.54 in embedded config (not a credential — operational configuration)
CRED-02INFOSHA-256 firmware integrity hash embedded in source — positive security control
CRED-03INFOAll credential placeholders are empty — proper secrets-from-environment pattern
CRED-04INFOConfig keys document credential fields without exposing values

9. File I/O & Data Handling

Agent: file-io | Risk: LOW | Findings: 0 Critical, 0 High, 1 Medium, 4 Low, 7 Info

The codebase has strong file I/O hygiene: centralized sx_fopen() macro ensures FD_CLOEXEC, sx_mkdir() uses 0700 permissions, mkstemp() for temp files, and chmod 0600 for sensitive config.

Findings:
IDSeverityFindingRecommendation
FIO-03MEDIUMAPI request/response bodies logged in full to api.log (data at rest — chmod 0600)Add config toggle API_LOG_BODIES=0; document sensitive content
FIO-01LOWWASM cmd_mktemp creates temp dirs with 0755 and uses raw fopen() (WASM sandbox context)Change to 0700; use sx_fopen()
FIO-02LOWscorpiox-editfile uses raw fopen() instead of sx_fopen()Replace for consistency
FIO-04LOW/dev/null opens lack O_CLOEXEC in fork paths (30+ occurrences)Add O_CLOEXEC for consistency
FIO-05LOWWindows _mktemp_s in agent askuser path is non-atomicUse CreateFile with CREATE_NEW
FIO-06–FIO-12INFOPositive controls: centralized sx_fopen(), sx_mkdir(0700), mkstemp(), API key header redaction, config chmod 0600, conversation files restricted, log rotation support

10. Buffer Safety

Agent: buffer-safety | Risk: LOW | Findings: 0 Critical, 0 High, 0 Medium, 3 Low, 7 Info

Buffer safety discipline is exceptional:

MetricValue
snprintf (safe)2,295 uses
strncpy (safe)623 uses
sprintf (unsafe)1 use (safe pattern — deterministic bounds)
strcpy / strcat / gets0 uses
Safe-to-unsafe ratio3,493:1
Findings:
IDSeverityFindingRecommendation
BSF-02LOWUncapped calloc from network-controlled header_count (up to 512 KB per request)Cap to min(header_count, SX_HTTP_MAX_HEADERS)
BSF-03LOWInteger multiplication in calloc for screenshot buffers (int32_t int32_t)Use (size_t)stride height
BSF-04LOWStack buffers ≥ 32 KB in 4 locations (stack overflow risk on constrained systems)Consider heap allocation for large buffers
BSF-01INFOSingle sprintf use is safe (deterministic SHA-256 hex conversion)Replace with snprintf for stylistic consistency
BSF-05–BSF-10INFOPositive controls: consistent snprintf everywhere, memcpy with explicit bounds, stack canaries via -fstack-protector-strong, FORTIFY_SOURCE=2

11. Memory Safety

Agent: memory-safety | Risk: LOW | Findings: 0 Critical, 0 High, 1 Medium, 2 Low, 7 Info

No use-after-free or double-free vulnerabilities were confirmed. The project uses sx_strdup() (abort-on-OOM wrapper) and consistent realloc patterns with temporary variables.

Findings:
IDSeverityFindingRecommendation
MEM-01MEDIUMDKIM buffer not freed after successful SMTP delivery — per-email memory leakAdd free(dkim_buf) before return
MEM-02LOWMissing NULL check on calloc in API history initialization — inconsistent error pathRemove premature return -1 at line 108
MEM-03LOWMemory leaks on error paths in 3 locations (allocated buffers not freed before early returns)Add cleanup labels or goto cleanup patterns
MEM-04–MEM-10INFOPositive controls: sx_strdup() abort-on-OOM, consistent realloc patterns, 686 allocation sites audited, NULL checks present on majority

12. Command Injection

Agent: command-injection | Risk: LOW | Findings: 0 Critical, 0 High, 1 Medium, 3 Low, 6 Info

The codebase demonstrates strong command injection awareness with CJ-* tags in comments indicating prior remediation. Critical paths use fork()+execvp() with argv arrays or is_safe_shell_arg() validation.

Findings:
IDSeverityFindingRecommendation
CJ-01MEDIUMINIT_TOOLS env var injected into shell command without sanitization (Linux-only scorpiox-init)Validate with is_safe_shell_arg() or use fork()+execlp("which", ...)
CJ-02LOWWindows system() with inadequate double-quote escaping in scorpiox-search.cUse CreateProcessW() or escape cmd.exe metacharacters
CJ-03LOWUnsanitized session name in sx_system_safe() fallback path (requires binary missing AND malicious name)Remove fallback or validate with is_safe_shell_arg()
CJ-04LOWDependency name from trusted tool JSON output used in shell commandValidate names to [a-zA-Z0-9._-]
CJ-05–CJ-10INFOPositive controls: scorpiox-agent validates all args before shell use, is_safe_shell_arg() used extensively, scorpiox-wsl.c uses CreateProcessA to prevent injection, web search uses fork()+execvp() on Unix

13. Privilege & Access Control

Agent: privilege-access | Risk: LOW | Findings: 0 Critical, 0 High, 0 Medium, 3 Low, 11 Info Threat Model Context: The container runtime (scorpiox-unshare) runs trusted first-party agents on a private network — not untrusted workloads from the internet. Severity ratings reflect this deployment model. Findings:
IDSeverityFindingRecommendation
P-01LOWContainer port forwarding binds on 0.0.0.0 (Linux-only)Default to 127.0.0.1; add opt-in flag for LAN access
P-02LOWSeccomp filter blocks only 2 syscalls (personality, keyctl) — defense-in-depth suggestion (Linux-only)Extend blocklist with kexec_load, ptrace, userfaultfd, etc.
P-03LOWOnly CAP_IPC_LOCK dropped from capability bounding set (Linux-only)Drop additional capabilities for defense-in-depth
P-04INFO--privileged mode is an intentional power-user feature — not a vulnerability
P-05INFOscorpiox-thunderbolt4 requires root for BPF — intentional design (macOS-only)
P-06INFOscorpiox-dns requires root for port 53 — provides non-root alternative via config
P-07INFORoot-as-root container skips CLONE_NEWUSER — correct decision matching Docker/Podman
P-08INFOPR_SET_NO_NEW_PRIVS applied before seccomp — positive control
P-09INFOHost loopback disabled in slirp4netns — positive isolation control
P-10INFOProcess spawning uses fork+exec with explicit argv — no shell injection
P-11INFONo setuid/setgid binaries installed
P-12INFOUser namespaces provide rootless container isolation
P-13INFOUID/GID mapping is properly scoped
P-14INFOCLONE_NEWPID provides PID isolation inside containers

14. Windows Deployment Analysis

Agent: windows-deployment | Risk: LOW | Findings: 0 Critical, 0 High, 3 Medium, 3 Low, 6 Info

The Windows build produces 63 executables using MinGW static linking with vendored libraries.

Findings:
IDSeverityFindingRecommendation
W-01MEDIUMscorpiox-pwshovertcp binds to 0.0.0.0 with remote command execution (API key required)Document high-entropy key requirement; add rate limiting
W-02MEDIUMscorpiox-server binds to 0.0.0.0 executing Python scripts (JWT auth available)Ensure JWT enabled for network-accessible deployments
W-03MEDIUMscorpiox-server-email binds on privileged ports (25, 587, 993) — no admin required on WindowsDeploy behind Windows Firewall rules
W-04LOWscorpiox-beam transfers files without encryption (LAN-only design)Document trusted-network requirement
W-05LOWscorpiox-dns binds to 0.0.0.0:53Use DNS_LISTEN to restrict interfaces
W-06INFOCreateProcessA usage is consistent and safe — no system() on Windows
W-07INFOWindows version resources attached to all binaries
W-08INFOStatic linking eliminates DLL hijacking risk for vendored libraries
W-09INFOscorpiox-host and scorpiox-sdk bind to 127.0.0.1 only — positive control
W-10INFOToken source configuration is intentional and documented
W-11INFOWSL2 image download uses HTTPS
W-12INFOscorpiox-wsl self-update uses SHA256 verification with rollback on failure
Windows Build Security Controls:
ControlStatus
CreateProcessA (no system())
Static linking (no DLL hijacking)
Stack protector (-fstack-protector-strong)
FORTIFY_SOURCE=2
Binary stripping
Version resources

15. Telemetry and Tracking

Agent: telemetry-tracking | Risk: LOW | Findings: 0 Critical, 0 High, 0 Medium, 0 Low, 3 Info Verdict: No tracking by default. All telemetry features are disabled out-of-the-box. No mandatory data collection exists. No network calls at startup.
FeatureConfig KeyDefaultStatus
Usage trackingUSAGE_TRACKING0 (disabled)Opt-in only
Session telemetryEMIT_SESSION_TRACKING0 (disabled)Opt-in only
HTTP RelayHTTP_RELAY0 (disabled)Opt-in only
Auto-updateUPDATE_URL"" (empty)WSL launcher only
When explicitly enabled, collected data includes: session ID, provider/model, hostname, username, OS/arch, project name, git branch, token counts. Session telemetry additionally includes full conversation content — this should be noted for data governance. Recommended Corporate Configuration (already default):
USAGE_TRACKING=0

EMIT_SESSION_TRACKING=0

EMIT_SESSION_API_URL=

USAGE_API_URL=

UPDATE_URL=

HTTP_RELAY=0

Findings:
IDSeverityFinding
TEL-01INFOStale documentation in scorpiox-usage.c header says default is 1 — actual default is 0
TEL-02INFOMachine fingerprint collection when opt-in enabled — intentional, documented
TEL-03INFOFull conversation content transmitted when session telemetry enabled — opt-in only

16. Install Script & Distribution Security

Agent: install-script | Risk: MEDIUM | Findings: 0 Critical, 2 High, 4 Medium, 3 Low, 8 Info

This is the highest-risk area of the audit. The install/distribution system uses curl|bash (Linux/macOS) and iwr|iex (Windows) patterns.

Findings:
IDSeverityFindingRecommendation
INST-01HIGHNo cryptographic code signing — SHA256 sidecar and binary served from same originImplement GPG/cosign/minisign signatures with offline-stored private key
INST-02HIGHSingle NAS is single point of compromise for supply chainMulti-party signing; separate signing from distribution infrastructure
INST-03MEDIUM--no-verify flag on Linux/macOS allows skipping SHA256 verificationRemove or gate behind SCORPIOX_INSECURE=1
INST-04MEDIUMLinux: silent SHA256 bypass when sha256sum binary not availableAbort install if no hash tool; check openssl dgst as fallback
INST-05MEDIUMNon-atomic install — tar -xzf directly into /usr/local/binExtract to temp dir, verify, then mv into place
INST-06MEDIUMindex.txt single-file branch pointer controls global distributionSign index.txt; add version metadata
INST-07LOWWindows updater uses -ExecutionPolicy BypassExpected for self-managed tooling
INST-08LOWNo version pinning or rollback in install/update scriptsAdd --version flag; keep previous version for rollback
INST-09LOWchmod +x applied via glob scorpiox* — overly broadUse explicit file list
INST-10–17INFOPositive controls: HTTPS enforced, HSTS headers, Windows installer has no --no-verify, WSL self-update fails closed, rollback on failure, no auto-update persistence, set -e in bash scripts, legacy migration path

17. Consolidated Risk Matrix

#AreaFindingSeverityStatusRecommendation
1Install/DistributionNo cryptographic code signingHIGHOpenImplement cosign/minisign with offline key
2Install/DistributionSingle NAS as distribution SPOFHIGHOpenMulti-party signing; separate infrastructure
3NetworkHardcoded IP for TCP token relay (WASM)MEDIUMOpenReplace with DNS hostname; add TLS
4NetworkContainer registry TLS verify disabled by defaultMEDIUMOpenDefault to true; distribute CA cert
5BuildNo build attestation metadataMEDIUMOpenAdd SLSA provenance to release pipeline
6File I/OAPI bodies logged to api.log unconditionallyMEDIUMOpenAdd API_LOG_BODIES config toggle
7MemoryDKIM buffer leak on successful email deliveryMEDIUMOpenAdd free(dkim_buf) before return
8Command InjectionINIT_TOOLS env var unsanitized (Linux-only)MEDIUMOpenValidate with is_safe_shell_arg()
9Windowsscorpiox-pwshovertcp on 0.0.0.0 with execMEDIUMOpenAdd rate limiting; document key requirements
10Windowsscorpiox-server on 0.0.0.0 with script execMEDIUMOpenEnsure JWT enabled in network deployments
11WindowsEmail server on privileged ports without adminMEDIUMOpenDeploy behind Windows Firewall
12Install--no-verify flag allows SHA256 skipMEDIUMOpenGate behind explicit env var
13InstallSilent SHA256 bypass when tool missingMEDIUMOpenAbort install if no hash tool
14InstallNon-atomic installationMEDIUMOpenStage to temp dir then move
15Installindex.txt controls global distributionMEDIUMOpenSign index file
16TLSStatic RSA key exchange (no PFS)LOWOpenRemove MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
17TLSConfigurable TLS verification bypassLOWOpenAdd additional guard for production
18TLSSMTP MX delivery uses VERIFY_OPTIONALLOWAcceptedStandard SMTP practice
19CredentialsHardcoded infrastructure IPLOWOpenUse DNS hostname
20File I/OWASM temp dirs created with 0755LOWOpenChange to 0700
21File I/Oscorpiox-editfile uses raw fopen()LOWOpenUse sx_fopen()
22File I/O/dev/null opens lack O_CLOEXECLOWOpenAdd O_CLOEXEC
23File I/OWindows _mktemp_s non-atomicLOWOpenUse CreateFile with CREATE_NEW
24BufferUncapped calloc from network header_countLOWOpenCap to SX_HTTP_MAX_HEADERS
25BufferInteger multiplication overflow in screenshotLOWOpenCast to size_t
26BufferLarge stack buffers (≥32 KB)LOWOpenConsider heap allocation
27MemoryMissing NULL check in API history initLOWOpenFix error path consistency
28MemoryMemory leaks on error paths (3 locations)LOWOpenAdd cleanup patterns
29Command InjectionWindows system() quote escapingLOWOpenUse CreateProcessW()
30Command InjectionSession name in fallback pathLOWOpenValidate or remove fallback
31Command InjectionDependency name from tool JSONLOWOpenRestrict to [a-zA-Z0-9._-]
32PrivilegeContainer port bind on 0.0.0.0 (Linux)LOWOpenDefault to 127.0.0.1
33PrivilegeMinimal seccomp blocklist (Linux)LOWOpenExtend blocklist
34PrivilegeMinimal capability dropping (Linux)LOWOpenDrop additional capabilities
35Windowsscorpiox-beam unencrypted LAN transferLOWOpenDocument trusted-network only
36WindowsDNS server on 0.0.0.0LOWOpenUse DNS_LISTEN to restrict
37BuildPIE not explicitly enabledLOWOpenSet CMAKE_POSITION_INDEPENDENT_CODE ON
38BuildARM64 Dockerfile image not pinned by digestLOWOpenPin by @sha256:...
39Build-Werror not enabledLOWOpenEnable for CI builds
40Install-ExecutionPolicy Bypass in updaterLOWAcceptedExpected for self-managed tooling
41InstallNo version pinning or rollbackLOWOpenAdd --version flag
42InstallOverly broad chmod +x globLOWOpenUse explicit file list

18. Conclusion & Recommendations

Overall Assessment

SCORPIOX CODE demonstrates strong security engineering across its pure-C codebase. The overall risk rating is LOW for Windows workstation deployment.

Strengths: Priority Recommendations:
  • HIGH PRIORITY — Code Signing: Implement cryptographic code signing for distributed binaries using cosign, minisign, or GPG with an offline-stored private key. This is the most impactful improvement available.
  • HIGH PRIORITY — Distribution Infrastructure: Separate the signing infrastructure from the distribution server. Implement multi-party approval for releases.
  • MEDIUM PRIORITY — API Log Redaction: Add a configuration toggle to disable API body logging, and document that api.log may contain sensitive content.
  • MEDIUM PRIORITY — Memory Leak Fix: Fix the DKIM buffer leak in sxmail_smtp.c to prevent memory exhaustion on busy mail servers.
  • LOW PRIORITY — Defense-in-Depth: Extend seccomp blocklist and capability dropping in the container runtime for additional hardening (Linux-only).
  • Risk Acceptance

    For Windows workstation deployment, the following findings are recommended for risk acceptance:


    19. Appendix: Audit Methodology

    Audit Agents

    #AgentScope
    1supply-chainPackage managers, vendored libraries, pre-built binaries, Windows release contents
    2build-provenanceCMake build system, compiler flags, linker hardening, Dockerfiles, git history
    3network-endpointsHardcoded URLs, IPs, domains, ports in 234 first-party source files
    4tls-securityCertificate verification, protocol versions, cipher suites, plaintext protocols
    5credential-hardcodePattern-based grep for API keys, passwords, tokens, secrets, PEM keys
    6file-ioFile operations, temp files, directory permissions, data at rest
    7buffer-safetysprintf/strcpy/strcat/gets/scanf usage, stack buffer sizes, bounds checks
    8memory-safetymalloc/calloc/realloc NULL checks, use-after-free, double-free, memory leaks
    9command-injectionsystem(), popen(), exec*() call sites with unsanitized input
    10privilege-accesssetuid/setgid, root requirements, sandboxing, namespace isolation, IPC
    11windows-deploymentWindows binary inventory, Win32 API usage, Windows-specific attack surface
    12telemetry-trackingData collection inventory, default configuration, opt-in/opt-out mechanisms
    13install-scriptInstallation scripts, update mechanism, distribution integrity, auto-update

    Scope

    Threat Model

    The audit was conducted with the understanding that:

    Tools & Techniques