GHSA-w8hx-hqjv-vjcq: Paperclip: Malicious skills able to exfiltrate and destroy all user data

April 16, 2026

An arbitrary code execution vulnerability in the workspace runtime service allows any agent to execute shell commands on the server, exposing all environment variables including API keys, JWT secrets, and database credentials.

References

github.com/advisories/GHSA-w8hx-hqjv-vjcq
github.com/paperclipai/paperclip
github.com/paperclipai/paperclip/security/advisories/GHSA-w8hx-hqjv-vjcq

Code Behaviors & Features

Detect and mitigate GHSA-w8hx-hqjv-vjcq with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →