Paperclip for Claude: What It Is and How to Vet AI Extensions Safely

Posted: December 31, 1969 to AI.

Paperclip for Claude: What It Is and How to Vet AI Extensions Safely

Every few weeks a new tool lands in the Claude ecosystem and somebody in the office asks the same question. "Should we use this?" Sometimes the answer is yes. Sometimes the answer is a hard no because the tool wants keys to rooms it should never see. And sometimes the honest answer is "we need to look at it for an afternoon before we put it anywhere near a client workload." Paperclip is the current example, and it is a good teaching case because it sits at the intersection of three things that all have security implications at once: Claude Code agents, Model Context Protocol servers, and unsupervised task orchestration.

This guide covers what Paperclip for Claude actually is, how the broader Claude extension ecosystem fits together, the real vulnerabilities that have already hit production Claude Desktop users, and the security review checklist that Petronella Technology Group walks through with every client before we green-light a new AI integration. If you are a business in Raleigh, the Triangle, or anywhere else weighing whether to let Claude plug into your tools, start here.

What Paperclip for Claude actually is

Paperclip is an open source orchestration platform that turns AI coding agents, especially Claude Code, into a coordinated team with org charts, budgets, goals, governance, and accountability. It launched on March 4, 2026, and within three weeks crossed 30,000 stars on GitHub, hitting 38,000 stars in under four weeks according to coverage by MindStudio and Towards AI. Later reporting put the star count past 53,000 by early April 2026, which puts it among the fastest growing open source agent projects of the year.

The pitch is simple. Single agent coding tools like Claude Code are good at one task at a time. Paperclip sits above the agent layer and lets a top level AI decompose a business goal into sub tasks, assign them to specialized sub agents, and then track cost, progress, and approvals the same way a human manager would. The project describes itself as "the human control plane for AI labor," and the technical reality matches that framing. It is a Node.js server with a React dashboard, backed by Postgres, that any operator can self host.

Paperclip is unopinionated about which agent runtime you use. Claude Code is the default and the most widely documented path, but the framework also supports OpenClaw bots, Codex, Cursor, Gemini CLI, and anything else that speaks HTTP. The Anthropic specific integration runs each agent as a Claude Code session behind the scenes, which means Paperclip inherits every permission, every credential, and every capability Claude Code has on that machine. That is the important security sentence in this whole guide. Write it down.

The Paperclip stack, in plain English

Here is what actually shows up on your server when you run the install.

A Node.js process runs the orchestration server. It talks to an embedded Postgres in local mode or a managed Postgres in production. It exposes a REST API for agents to query and update their own state, and a React dashboard for humans to set goals, approve changes, and monitor cost.

A Model Context Protocol server, published as @paperclipai/mcp-server, exposes the Paperclip REST API as tools that any MCP compatible AI assistant can call. That means you can open Claude Desktop, connect it to the Paperclip MCP server, and ask Claude in plain English to create new issues, approve agent actions, or reassign work across your agent team.

Claude Code sessions run as the actual workers. Each agent is a Claude Code process with its own workspace, its own system prompt, and its own set of permissions. Paperclip injects the goal ancestry, the budget, and the approval state, and Claude Code does the work.

Optional plugins extend the system. The agent-paperclip desktop companion from fredruss on GitHub visualizes context window usage. The paperclip-plugin-acp from mvanhorn exposes an Agent Client Protocol runtime so you can drive Claude Code, Codex, or Gemini CLI from any chat platform. There is an awesome-paperclip repo maintained by gsxdsm that collects community plugins, and Wizarck maintains an alternate MCP server build. This plugin surface is part of the appeal and part of the risk, which is the core of why this post exists.

Why businesses are paying attention

The serious interest is not the novelty. It is the shift in unit economics. A mid market firm that historically needed a team of five to cover content, sales development, and internal tooling can now run three people plus a coordinated Claude agent team and get most of the same output at a fraction of the spend. That is the promise. The catch is that every agent you hand work to is another machine that has credentials, access, and the ability to act on your behalf. If you do not govern them the same way you would govern a new employee, you get incidents. Not theoretical ones.

The wider Claude extension and plugin ecosystem

Paperclip is one tool in a much bigger surface that expanded dramatically in 2025 and 2026. Before we hand any of them root on a client machine we need to understand what each layer actually is.

Claude Desktop Extensions (DXT)

Anthropic added Desktop Extensions to Claude Desktop during 2025. An extension is a signed bundle that runs locally with full user permissions and plugs tools into the Claude conversation. You install one, grant it access, and now Claude can read your files, send your email, hit your APIs, or automate your browser. This is where the convenience lives, and also where most of the serious security incidents have landed.

LayerX disclosed a zero click remote code execution vulnerability in Claude Desktop Extensions that affected more than 10,000 users across 50 extensions, and published the writeup in early 2026. They rated it CVSS 10.0. The core attack was that a single Google Calendar event could trigger command injection inside an extension and run arbitrary code on the host. The root cause was architectural. Claude Desktop Extensions run unsandboxed, with the full permissions of the logged in user, and several extensions passed untrusted input into shell commands without sanitization. Infosecurity Magazine covered Anthropic's initial decision not to patch certain related prompt injection paths, which raised eyebrows and prompted a follow up.

Model Context Protocol (MCP) servers

MCP is the open protocol Anthropic published so any tool can expose capabilities to any AI model in a standard way. MCP servers run as separate processes on your machine or remotely, Claude connects to them, and the model calls the tools they expose. The Paperclip MCP server is one of thousands now live. The Anthropic security documentation at code.claude.com is direct about this: "Anthropic does not manage or audit any MCP servers." Translation, you are the reviewer. Nobody else is checking.

Datadog Security Labs published CVE-2025-52882, a WebSocket authentication bypass in Claude Code extensions for Visual Studio Code that let any malicious website connect to a local unauthenticated WebSocket server and get remote command execution. Check Point Research published CVE-2025-59536 and CVE-2026-21852, which covered API credential theft and remote code execution through malicious project configuration files using hooks, MCP servers, and environment variables. Composio has an ongoing write up titled "MCP Vulnerabilities Every Developer Should Know" that lays out the full class of attacks. Pillar Security published "The Security Risks of Model Context Protocol (MCP)" covering supply chain risk. The pattern is consistent. These are not edge cases. The protocol gives agents real capability, and any misstep in a connector becomes a real incident.

Claude for Chrome

Anthropic released the Claude in Chrome browser extension in preview in December 2025. It lets Claude navigate, click, fill forms, and extract information inside your live browser session. The convenience is obvious. The exposure is also obvious. If Claude is driving your Chrome, and Chrome is logged into your bank, your CRM, and your client file share, anything that can prompt inject Claude through web content can in principle drive your browser. Anthropic has published mitigations and request confirmation patterns. The real world answer, as with Paperclip, is the same. Scope, segment, log, review.

Hosted agent frameworks and competitors

Paperclip is the current leader in mindshare. There is a competing project called WoterClip, also covered by WotAI, that turns Linear into an agent orchestration layer using a Claude Code plugin approach with zero infrastructure. NousResearch published hermes-paperclip-adapter so their Hermes Agent can run as a managed employee inside a Paperclip company. MindStudio has published a series of multi agent company tutorials that walk through the Paperclip plus Claude Code pattern. The ecosystem is moving fast. Every month there are new entrants, new plugins, and new attack surfaces. Your process for evaluating them has to move faster than the marketing.

The risks nobody puts on the landing page

Here is what we have seen in the field or read in published research that should shape how you think about any Claude ecosystem tool, Paperclip included.

Full permission blast radius

Extensions, MCP servers, and agent runtimes like Claude Code run with the permissions of the user who launched them. On a developer laptop, that is usually everything. SSH keys, AWS credentials, browser password stores, signed session cookies, and the file system. LayerX documented this exact blast radius in the 10,000 user Claude Desktop incident. If your threat model assumes that Claude Desktop is a browser tab, you are modeling the wrong thing. It is a local process with shell access to your machine.

Prompt injection is a real attack, not a curiosity

Prompt injection stopped being academic the day the first Claude Desktop user got exploited by a Google Calendar invite. Any content that Claude reads, whether it is a web page, an email, a calendar entry, a PDF, a Slack message, or a GitHub issue, is content that can contain instructions. If the model has tools, those instructions can call the tools. Infosecurity Magazine's writeup on the Claude Desktop prompt injection flaw and LayerX's Google Calendar exploit both document the same basic shape. Attackers embed "do this" inside untrusted text, the model helpfully complies, and the damage radius is whatever tool was nearest.

Unsandboxed execution

Claude Desktop Extensions today run unsandboxed. Many MCP servers run unsandboxed. Claude Code runs unsandboxed. That is convenient, and for an individual developer who reviews every commit it is probably fine. For a business that hands Claude access to client data, it is a category of risk that needs explicit controls. Sandboxing, container isolation, least privilege credentials, and logged tool invocations are not nice to have. They are the difference between a contained incident and a ransom letter.

Supply chain trust, or lack of it

Anthropic does not audit MCP servers. GitHub does not audit them. The awesome paperclip list is community curated, not verified. When you npm install a Paperclip plugin, you are trusting the plugin author, every dependency they pull in, and every update they ship. The same is true for every community built DXT extension. CVE-2025-59536 and CVE-2026-21852 from Check Point Research were triggered through malicious project configuration files. The lesson is that anything you install from the Claude plugin ecosystem needs the same supply chain scrutiny you give to any other npm package, probably more, because the capability it gets when Claude invokes it is much higher than a typical library.

Autonomous chaining

This is the subtle one. Claude, by design, picks which tools to call and how to chain them. If you have one connector for Google Calendar and one for a local shell, Claude can decide on its own to read the calendar, extract a command string from a meeting description, and pass it to the shell. That is not a bug. That is the feature. It is also the exact exploit pattern LayerX documented. Agents that can chain tools will chain tools, including in ways you did not anticipate, including when the input is adversarial.

Cost exposure

Agent frameworks bill token usage against your Anthropic account. A misconfigured Paperclip deployment, a runaway sub agent, or a prompt injection that says "run this query a thousand times" translates directly into real dollars on your invoice. Cost alerts and per agent budgets are not just nice dashboard features. They are a protective control.

The Petronella Technology Group security review checklist for AI extensions

We use this checklist every time a client says "I want to install this Claude thing." It is the core of our AI extension vetting service, and it is purposefully conservative. If an extension cannot clear these questions, we do not deploy it on client hardware or against client data. Paperclip can clear all of these if you configure it carefully. Many extensions cannot. The same checklist runs against every plugin, MCP server, and DXT bundle that any Petronella Technology Group client asks us to evaluate, and we keep a running internal registry of which tools are pre cleared so our clients do not have to redo the work from scratch.

1. Identity of the publisher

Who wrote it. Real name, real company, real track record. Is the repo owned by a recognizable organization, or a six week old personal account. How many maintainers, and do they have a history of handling security disclosures. For Paperclip, the core repo is paperclipai/paperclip, MIT licensed, with a sister organization fork at agencyenterprise/paperclip-ai. Core publishing history is traceable and the license is permissive. This is table stakes and it passes. Many random MCP servers you find in a Google result do not.

2. Install source and signature

Is it pulled from the official registry, the publisher's signed GitHub releases, or an unvetted mirror. Is the package or binary signed. Is the install command something you can read and understand, or a curl pipe bash that you cannot audit. We prefer signed releases and a manual review of the install script. Every time.

3. Permissions requested

Read the manifest. What filesystem paths does it want. What network hosts does it need to reach. Does it request shell execution. Does it read environment variables with secrets in them. The Paperclip MCP server, by default, scopes to the Paperclip REST API only and does not need shell. That is a good sign. An MCP server that wants exec access and read on your entire home directory is a different conversation.

4. Credential handling

Where are API keys stored. Are they encrypted at rest. Are they scoped, so the key only works against the intended service. Can you rotate them easily. Does the tool log keys to stdout or to a debug file during errors. Secret scrubbing on exports, which Paperclip specifically ships, is a good pattern. Hard coded keys in example config files, which a surprising number of community extensions include, is a red flag.

5. Network posture

Does the extension make outbound connections to anywhere other than the expected services. Does it phone home telemetry. Can that telemetry be disabled. Is there a proxy or egress control option for air gapped deployments. For any client in a CMMC, HIPAA, or SOC 2 scope, unsolicited outbound telemetry is a blocker until it is turned off and verified at the network layer.

6. Data flow map

Draw a picture. What data enters the tool. What data leaves the tool. What does the tool send to Anthropic. What does the tool cache locally. What does it log. If the client handles controlled unclassified information under CMMC, this matters. If the client handles protected health information under HIPAA, this matters even more. A data flow map that fits on one page is the minimum.

7. Sandboxing and isolation

Does the extension run in its own container, its own virtual machine, its own user account, or inline with your shell. Can you run it under a least privilege OS user. Can you mount the project directory read only. Can you block outbound network by default and allow list the specific hosts it needs. Paperclip as a Node.js server plus Postgres is straightforwardly containerizable, which is one reason we like it for regulated workloads.

8. Audit trail

Does the tool log every tool invocation. Every file read. Every shell command. Every cost event. Can you ship those logs to your SIEM. If an incident happens, can you reconstruct what the agent did. Paperclip's governance layer includes approval gates and revisioned config changes with rollback, which is explicitly a good fit for regulated environments. A random MCP server with no audit trail is a non starter for a regulated client.

9. Update posture

How do updates ship. Auto update on launch, manual pin, tagged releases only. A plugin that silently updates itself and can introduce new capabilities without a human review is a risk. A plugin that pins to a version and requires a human action to upgrade is a risk that is actually manageable. Pin everything.

10. Incident response

Has the project handled a CVE. How fast. Was the disclosure responsible. Is there a security contact. Is there a published security policy. For a project as young as Paperclip, the record is limited but positive so far. For older extensions, there should be evidence.

11. Scope of autonomy

This is the one most people skip. How much action can the tool take without asking. Every multi step agent system including Paperclip will, by default, try to do useful work on its own. Approval gates, budget caps, and per goal scopes are the difference between a helpful agent and a bull in a china shop. Paperclip ships with approval gates built in. Turn them on. Require a human click on anything that writes to production, spends money, sends email, or touches a client system.

12. Rollback plan

If the extension misbehaves, how do you back out. Uninstall is not enough. You need the ability to revert every change it made to files, databases, and external services. Paperclip's revisioned config and company template export and import patterns make this straightforward for the Paperclip layer itself. The underlying agent workspaces still need the standard git and backup discipline.

13. Legal and terms of service

Does using this tool violate the terms of the underlying service. The Paperclip community has an open GitHub discussion specifically titled "ToS check: Is running Claude Code agents through Paperclip within Anthropic's terms?" which is the right question to ask in public. For a regulated client, make sure the data you feed the agent is allowed to be sent to the model provider in the first place, and make sure your contracts with downstream clients permit the processing.

If an extension or plugin passes all thirteen, we will usually deploy it in a lab environment first, run it against synthetic data, instrument the logs, then decide whether it gets near client data. Paperclip can pass all thirteen when it is deployed carefully. The plugins around it vary wildly. Every plugin, every MCP server, every DXT extension goes through the same checklist. No exceptions, no short cuts.

A worked example: deploying Paperclip safely for a regulated client

Say you run a healthcare billing firm in Cary and you want to use Paperclip plus Claude Code to automate repetitive coding, claims follow up, and internal ticket triage. Here is how we would scope that engagement from day one, and it shows how the checklist turns into real decisions.

Start with data classification. The firm handles protected health information under HIPAA, which means any workflow involving claims must go through a Business Associate Agreement covered Anthropic channel. Anthropic does offer BAAs for Claude API customers who qualify. If the firm's Claude access is through a plan that does not include a BAA, step one is fixing that before any agent sees a single claim line. No amount of Paperclip configuration makes up for a missing BAA.

Next, segment the deployment. The Paperclip server, the Postgres instance, and the Claude Code worker sessions all run inside a dedicated virtual private cloud segment with its own firewall policy. Outbound network is allow list only, and it only reaches Anthropic's API and the specific billing system endpoints the agents actually need. No Google Calendar integration, no general web search tool, no filesystem access outside a per agent workspace that is mounted read only on the source of truth directories. The server lives behind your normal identity provider and single sign on, with mandatory multi factor for the dashboard.

Now set the scope. You define three roles to start. A coding agent that only touches a specific repository, a claims follow up agent that only hits a specific subset of the billing API and only in read or draft mode, and a triage agent that only classifies inbound tickets. Each agent gets its own least privilege credential set, stored in a real secrets manager and rotated on a schedule. Approval gates are turned on for anything that writes, sends email, spends money, or changes a record. No agent has shell access on a host that also holds production data.

Instrument everything. Paperclip's audit trail flows to your SIEM. Token spend has per agent budgets that page the owner when they trip. Every approval event, every rollback, every rejected action is logged and reviewed weekly by a human. Your incident response runbook explicitly covers "an agent did something it should not have" and it has a named person on call.

Run a pilot. Before the agents see real data, they run for two weeks against a synthetic copy of the billing environment. You look for prompt injection resilience, cost anomalies, and any capability creep you did not anticipate. If the pilot is clean, you promote carefully, one workflow at a time.

None of that is specific to Paperclip. All of it applies to every Claude ecosystem tool we deploy for a regulated client. Paperclip is convenient because it builds approval gates, governance, and audit trails into the framework itself. It is still your job to turn them on, configure them correctly, and verify them.

Where Petronella Technology Group fits

We are a Raleigh, North Carolina managed IT, cybersecurity, and AI firm, founded in 2002 and BBB A plus accredited since 2003. Petronella Technology Group is a CMMC AB Registered Provider Organization, RPO #1449, verified in the public CyberAB registry. Craig Petronella, our founder, holds CMMC RP, CCNA, CWNE, and DFE number 604180 credentials. The entire team is CMMC RP certified. We run 10 plus production Claude agents of our own on an enterprise private AI cluster, so every recommendation in this article comes from tools we actually operate in house, not theory.

Our AI extension vetting service runs the thirteen point checklist above against any Claude Code plugin, MCP server, DXT bundle, Paperclip extension, or agent runtime a client wants to adopt. We produce a written go or no go decision, a deployment architecture if it is a go, and a monitoring plan that plugs into the client's existing stack. On top of that we wrap every AI tool we approve inside our managed IT and cybersecurity services, so the Claude deployments sit behind the same patching, backup, network segmentation, identity, and 24 by 7 threat analysis we already run for the rest of the environment. Safe AI tool adoption is not a one off project at Petronella Technology Group. It is a service we operate continuously for every client that wants modern agent tooling without inheriting the blast radius that comes with it by default.

If you are looking at Paperclip, or any Claude ecosystem tool, and you want a second set of eyes before you install it anywhere near client data, we do that work every week. Security review, threat modeling, deployment architecture, per tool audit, and ongoing monitoring. We also run the private AI cluster hosting for clients who prefer their agents run on hardware they control, which is increasingly the right answer for regulated data covered by CMMC, HIPAA, or SOC 2 obligations.

Practical places to dig in from here:

• The overview of the Petronella AI services practice, including AI extension vetting, private cluster hosting, and agent deployment.
• The broader Petronella cybersecurity program that wraps these AI deployments in the access controls, logging, and incident response you actually need.
• The managed IT services offering that handles the patching, monitoring, backup, and identity layer underneath any agent rollout so the AI tooling sits on a stable, hardened stack.
• The deep dive on the Petronella private AI cluster option for clients who want Claude Code and Paperclip running on hardware under their control.

The honest summary

Paperclip for Claude is a legitimately interesting orchestration platform that is well engineered, open source, MIT licensed, and growing fast. It inherits every strength and every risk of the Claude Code agent runtime underneath it. The serious security incidents in the Claude ecosystem during 2025 and 2026, from the LayerX Google Calendar zero click at CVSS 10.0 to the Datadog WebSocket bypass to the Check Point project file CVEs, are not reasons to avoid this class of tooling. They are reasons to deploy it the way you would deploy any other piece of privileged infrastructure. With scope, segmentation, least privilege, logging, approval gates, and an owner who is accountable when something goes wrong.

If you have a business in the Triangle and you are trying to decide whether a Claude extension, a Paperclip deployment, or any other AI agent tool belongs in your environment, call Petronella Technology Group at (919) 348-4912 or start a conversation through our contact us page. We will help you sort the convenient from the defensible, and we will do the security review homework before anything touches your production data.

Sources and references

• Paperclip project site, paperclip.ing
• Paperclip GitHub repository, github.com/paperclipai/paperclip
• Paperclip MCP server, github.com/Wizarck/paperclip-mcp and the @paperclipai/mcp-server npm package
• Agent Paperclip desktop companion, github.com/fredruss/agent-paperclip
• Paperclip ACP runtime plugin, github.com/mvanhorn/paperclip-plugin-acp
• Awesome Paperclip plugin list, github.com/gsxdsm/awesome-paperclip
• NousResearch Hermes Paperclip adapter, github.com/NousResearch/hermes-paperclip-adapter
• MindStudio, "How to Build a Multi Agent Company with Paperclip and Claude Code"
• Towards AI, "Paperclip: The Open Source Operating System for Zero Human Companies"
• eWeek, "Meet Paperclip: The Tool Turning OpenClaw Agents Into an AI Company"
• LayerX Security, "Claude Desktop Extensions Exposes Over 10,000 Users to Remote Code Execution Vulnerability"
• Koi, "PromptJacking: The Critical RCEs in Claude Desktop That Turn Questions Into Exploits"
• Infosecurity Magazine, "New Zero Click Flaw in Claude Extensions, Anthropic Declines Fix"
• Infosecurity Magazine, "Claude Desktop Extensions Vulnerable to Web Based Prompt Injection"
• Datadog Security Labs, "CVE-2025-52882: WebSocket authentication bypass in Claude Code extensions"
• Check Point Research, "Caught in the Hook: RCE and API Token Exfiltration Through Claude Code Project Files" covering CVE-2025-59536 and CVE-2026-21852
• Anthropic Claude Code security documentation, code.claude.com/docs/en/security
• Composio, "MCP Vulnerabilities Every Developer Should Know"
• Pillar Security, "The Security Risks of Model Context Protocol (MCP)"
• Anthropic, Claude for Chrome announcement, claude.com/claude-for-chrome
• CyberAB RPO registry entry, cyberab.org/Member/RPO-1449-Petronella-Cybersecurity-And-Digital-Forensics