Unsecured Paperclip Instances Exposing Live Dashboards via Google Search

A Reddit user reported accidentally accessing a live Paperclip dashboard while searching for an error related to their OpenClaw agent. After Googling the error and clicking the first result, they were immediately presented with someone's complete Paperclip interface without any authentication required.

What Was Exposed

The exposed dashboard contained:

• Full organizational chart
• Active issues and task assignments
• Agent conversations and configurations
• Business plans and marketing strategies
• Task history and potentially API keys

The user noted they could read through "all his marketing plan, his whole business model" and described the situation as "your entire org, your agent configs, your API keys, your task history — all of it is public."

Common Security Misconfigurations

According to the source, this exposure occurs when Paperclip instances have these characteristics:

• Exposed on a public domain or IP address
• Running in local_trusted mode
• Without Basic Auth or any login layer in front

The user emphasized that while Paperclip's self-hosted nature provides full control, it also means "you are responsible for securing it." They warned that improperly secured instances create "an accidental open-source intelligence feed of your entire company" that's indexable by search engines.

The core recommendation from the source is straightforward: "Don't expose it on a public domain without auth."