GHSA-w8hx-hqjv-vjcq: Paperclip: Malicious skills able to exfiltrate and destroy all user data
Summary
Paperclip, an AI agent platform, has a critical vulnerability where malicious skills can execute arbitrary shell commands on the server through an unsanitized `runtimeConfig` parameter, allowing attackers to steal sensitive credentials like API keys, database passwords, and authentication secrets stored in environment variables.
Classification
Affected Vendors
Affected Packages
Related Issues
CVE-2026-63086: text-generation-inference through 3.3.7 contains a server-side request forgery (SSRF) vulnerability in the OpenAI-compat
CVE-2026-34371: LibreChat is a ChatGPT clone with additional features. Prior to 0.8.4, LibreChat trusts the name field returned by the e
Original source: https://github.com/advisories/GHSA-w8hx-hqjv-vjcq
First tracked: April 16, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 92%