Blog Wydania Problemy Dokumentacja Pobierz Status Looking Glass Kontakt ze sprzedażą
Sieć Odporność Odzyskiwanie Bezpieczeństwo Niezmienny sejf Dziennik audytu z zabezpieczeniem przed manipulacją Cennik
Deweloperzy
Przegląd dla deweloperówCLI, SDK, webhooki InfrastrukturaDocker, K8s, Terraform, CI/CD. Agenci AIClaude Code, Codex, Cursor, Hermes, OpenClaw. Narzędzia MSPDatto, NinjaOne, ConnectWise, N-able. Rozszerzenie przeglądarkiAutouzupełnianie, logowanie oparte na urządzeniu, generator Aplikacje mobilneNatywne aplikacje iOS i Android Claude CodeTokeny ograniczone zakresem CodexIntegracja z OpenAI CursorTryb agenta Hermes AgentAgent Hermes firmy Nous Research OpenClawResolver agenta ImportujZ dowolnego menedżera haseł
Zasoby
Blog Wydania Problemy Dokumentacja Pobierz Status Looking Glass Kontakt ze sprzedażą
Rozwiązania
Konsument SMB Enterprise MSP
Język
🇺🇸 English 🇮🇩 Bahasa Indonesia 🇩🇰 Dansk 🇩🇪 Deutsch 🇪🇸 Español 🇫🇷 Français 🇮🇹 Italiano 🇳🇱 Nederlands 🇳🇴 Norsk 🇵🇱 Polski 🇧🇷 Português 🇫🇮 Suomi 🇸🇪 Svenska 🇻🇳 Tiếng Việt 🇹🇷 Türkçe 🇷🇺 Русский 🇺🇦 Українська 🇮🇳 हिन्दी 🇹🇭 ไทย 🇨🇳 中文 🇯🇵 日本語 🇰🇷 한국어
Zaloguj się Na zawsze za darmo Rozpocznij
Security Blog

You split the work across thirteen agents. Paperclip didn’t split the key.

#18

June 20, 2026 · By Marketing team

← All posts

Also in: 🇺🇸 English

A scan of a 71,000-star agent framework found twelve of its thirteen agents carrying the same plaintext token. Once you run a fleet of agents, 'the secret lives in the config' stops being a shortcut and becomes a multiplier.

You did the modern thing. Instead of one big agent, you stood up a fleet — one to triage tickets, one to write copy, one to run the design pipeline, a dozen of them, each with its own job and its own config. It feels safer that way. Smaller blast radius. More least-privilege.

Then a security scan walked through the configs of a 71,000-star agent framework called Paperclip and found that twelve of its thirteen agents were carrying the same credentials — an identical token, pasted in plaintext into each agent’s config [1]. One Anthropic API key sat hardcoded in a design agent’s config in the clear. A bot token meant for one agent was readable by agents that had no business with it.

Thirteen doors. One key, copied into twelve of them. Steal it from the weakest agent and you have the other eleven.

What actually happened

Paperclip gives each agent an MCP server config — the file that tells the agent which tools and services it can reach, and how to authenticate to them. Somewhere along the way the secrets went straight into those files as literal text: an n8n JWT, a bearer token, an Anthropic API key. Not referenced. Not injected at runtime. Typed in — and then, because spinning up the next agent is a copy-paste, duplicated across the fleet.

The scan flagged three things. The shared plaintext tokens across twelve agents (rated HIGH). The Anthropic key sitting in the clear in a design agent’s config (rated CRITICAL). And a bot token scoped to agents it was never meant for — a plain least-privilege miss [1]. To their credit, the Paperclip team moved fast: they migrated to credential references, redacted config on cross-agent reads, and started enforcing binding sync [2]. The right direction.

This is not Paperclip being careless

Here’s the part worth sitting with. Paperclip did what almost every framework does. Putting a secret in a config file is how software has authenticated for thirty years. It worked because there was one app, one config, one operator who knew where the key lived.

The era changed underneath that habit. A multi-agent system isn’t one app with one config — it’s a dozen processes, each with a file, each a copy of the last. Plaintext-in-config was a tolerable shortcut when there was one place to leak. At thirteen, the same shortcut means one leak is thirteen leaks — and “which agent did that?” has no answer, because the token in the log belonged to all of them.

Credential references — the fix Paperclip shipped — are genuinely better. But notice what they do and don’t change. A reference still resolves to a real secret in the place the agent runs; the agent, or anything that compromises it, can still read the resolved value. And the framework’s own bug tracker already shows the next failure mode: a reference drifting out of sync with its binding, so the config looks populated while validation quietly fails [3]. The secret moved one layer back. It didn’t leave the building.

It isn’t only Paperclip

Same week, same root cause, different repos. A widely-used coding agent was filed for printing raw .env values — passwords, tokens, API keys — straight into its chat output. Another agent runner was found handing its full parent environment to subprocesses, so every provider key was visible to a child process [4]. A voice hook was writing transcripts, credentials and all, into world-readable /tmp [5]. Independent teams, independent threat models, one shared assumption: that it’s fine for the secret to live where the agent can see it. The whole argument an attacker has to make is that it isn’t.

Built for this, on purpose

Clavitor starts from the opposite assumption: the agent never holds the credential at all. It asks for an action; the request is intercepted, authenticated against a secret the agent can’t read, and fulfilled. There is no config to paste a token into, because there is no token in the config. Nothing to copy across thirteen agents, because the agent’s environment never holds the thing worth stealing.

Each agent reaches only what it was named for — not the whole store — so a bot token can’t end up readable by an agent that never asked for it. And every action is logged to the specific actor that took it, never to a shared token twelve agents had in common — so “which one did that?” has an answer.

The honest edge: this doesn’t make an agent unhackable. A compromised agent can still do, in the moment, the things it was authorized to do. What it can’t do is walk off with the key and become the other twelve — because there’s no key in its hands to walk off with.

The lesson isn’t “rotate the token”

Paperclip will rotate the tokens, finish the migration, and close the issues. Good — they should. But the rotation isn’t the lesson. The lesson is that the moment you have a fleet of agents instead of one app, “the secret lives in the config” stops being a shortcut and becomes a multiplier. You don’t fix a multiplier by making the secret a little harder to read. You fix it by making sure the secret was never in the agent’s hands to begin with.

We wrote down the rules we think a credential tool should keep in the agent era — among them, that the secret never lives where the code runs, and that an agent reaches only what it was named. Run yours down them: clavitor.ai/rules.

Clavitor (@clavitorai) is the credential vault built for AI agents, and against them. clavitor.ai

Sources

[1] Paperclip agent framework — credential hygiene findings (CFG-H1 shared plaintext tokens, CFG-C1 hardcoded Anthropic key, CFG-H2 mis-scoped bot token): https://github.com/paperclipai/paperclip

[2] Paperclip — enforce agent secret-binding sync across lifecycle flows (merged): https://github.com/paperclipai/paperclip/pull/8307

[3] Paperclip — secret_ref env entries can drift from secret_bindings rows, config appears populated but validation fails silently (#8309): https://github.com/paperclipai/paperclip/issues/8309

[4] Chetter — runBatchAgent inherits full runner environment, exposing provider API keys to the subprocess (#56): https://github.com/flatout-works/chetter/issues/56

[5] Claude Code voice hook — full transcripts (credentials included) written to world-readable /tmp (#58): https://github.com/rodlaneedu-hash/claude-code-voice-hook/issues/58