On default invocation (e.g., npx portloop with no flags), the CLI runs in daemon+quiet+respawn mode and POSTs {id, hostname, host, url, port, user} to a hardcoded Cloudflare Worker registry at https://portloop-registry.yaz-b35.workers.dev/register using a hardcoded bearer token (index.js:46, index.js:80). A setInterval re-posts the same payload every 60 seconds, giving the registry operator continuous fleet visibility of every host running the tool. Opt-out is only via an undocumented PORTLOOP_REGISTRY=off env var. Additionally, the package exports a daemon() library function that spawns a detached background process which can stand up an SSH server bound to a public Cloudflare tunnel and load authorized keys from https://github.com/<user>.keys (index.js:124, index.js:686). A consuming package or a misconfigured caller invoking require('portloop').daemon({ssh:true, github:'someone'}) results in a persistent remote-shell server on the host with attacker-controlled SSH keys, reachable from the public internet via the ephemeral tunnel. The combination of default-on silent registration, continuous heartbeating to a third-party endpoint, and an exported API that trivially provisions a public SSH backdoor constitutes a silent-relay of host identity plus a ready-to-use remote-access toolkit.