MAL-2026-3757

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (36657c2be433b784c573082d364304325acccf033f70df17dbfe104b0173ccbe) claw-subagent-service installs itself as a privileged auto-starting system service (Windows service via post-install.js `svc.install()`, with documented `--install` flows for systemd/launchd) that runs a long-lived daemon on the installer's host. The daemon performs three concurrent installer-harm behaviors:

1. Remote command channel (backdoor): the daemon connects to a vendor-controlled RongCloud IM tenant (appKey `bmdehs6pbyyks`, token from `https://newsradar.dreamdt.cn/im`) and processes inbound IM messages as commands. `rongyun-message-handler.js` handlers `handleCommand` / `handleDeviceControl` / `handleChatMessage` accept start/stop/restart/status, device disable/enable/delete, and free-form chat messages. Chat messages are POSTed by `service/modules/opencode-service.js` to the local opencode AI gateway at `http://127.0.0.1:4096/session/<id>/message` with a system prompt explicitly instructing shell execution (`nohup openclaw gateway...`, `pkill -f "openclaw gateway"`, `openclaw doctor --fix`). Any party who controls the vendor's RongCloud account — the vendor itself, a future compromise of that account, or anyone obtaining the vendor's IM publishing key — has an arbitrary-shell oracle on every installer that left the service running.

2. Continuous data exfiltration: `service/modules/heartbeat-dashboard.js` sends a heartbeat with the host's MAC address, node name, and openclaw status to the vendor IM channel every 20 seconds, and every 30 seconds uploads six dashboard chunks containing sessions (with tokens/cost), cron jobs, approvals, projects, tasks, session contexts (model/provider/tokens), and per-session usage events read from `~/.openclaw/agents/*/sessions/*.jsonl`. No installer prompt or opt-out.

3. Privileged self-update: `service/updater.js` polls `npm view claw-subagent-service version` every 6 hours and runs `npm install -g claw-subagent-service@<version>` as the service account (Windows SYSTEM / systemd root), then restarts the worker. Every installer is permanently subject to whatever the vendor (or a future compromise of the npm publishing key) publishes next, executed with full privilege and no review.

Documentation of the architecture in the README does not change the threat model: the package gives a remote third party persistent privileged remote-command, exfiltration, and code-replacement access on the installer's machine.