zerophish / console
Register Sign in
URL THREAT INTELLIGENCE · v0.5.0 · OPERATIONAL

The full anatomy of a phishing site,
one URL at a time.

ZeroPhish renders the page, runs twelve detection signals against the DOM, certificate chain, brand fingerprint and threat feeds, and returns a typed verdict. Built for security teams and product engineers.

scan
100 scans / day · free · typical scan 2–4 s ·
try
Result scan 88efa34d
Scan another →
CACHED Showing previous scan from 14 d ago. Click Reanalyze to run a fresh scan.
SAFE · HIGH CONFIDENCE

No phishing signals detected

brand Paperclip scan id 88efa34d duration 15.51s signals 1 failing / 12
Risk score 0.01
1 / 100 · Low risk
Tags
URL anatomy docs.paperclip.ing
https :// docs . paperclip . ing /
flagged registered domain path protocol / query
Indicators of compromise 6 · click any row to copy
URL hxxps://docs[.]paperclip[.]ing/#/reference/adapters/hermes-local
Host docs[.]paperclip[.]ing
Registered domain paperclip[.]ing
Brand Paperclip
Screenshot https://cdn.zerophish.ai/c763bc74-3de9-418b-a617-0a228c651785.jpg
Scan ID 88efa34d-995b-4f00-8ed4-b7bfe4b75b1e
Detection signals 1 fail · 0 warn · 6 pass
Brand typo-squat detected
No similar legitimate brand within edit-distance 2
critical
Domain age
Awaiting analysis
high
Threat intel blocklists
Awaiting analysis
critical
Credential collection form
No credential collection form on visible content
high
×
Visual similarity to known brand
100% structural similarity to Paperclip
high
Favicon impersonation
Favicon matches the registered owner
medium
SSL certificate
Served over HTTPS · valid TLS certificate
low
DNS reputation
Awaiting analysis
medium
showing 8 of 12 ·
Captured page from scan
Captured page
screenshot · captured at scan live page render
Brand impersonation visual + DOM analysis
P
Paperclip
100%
Technical profile resolved at scan time
Host docs.paperclip.ing
Registered domain paperclip.ing
Scheme https
Content length 136901 B
HTTP 200 · text/html
Analyst summary AI-generated
Initial scan heuristic + LLM

Page identity

The page is a documentation site for Paperclip (“Paperclip Docs”) and specifically describes the “Hermes Local” adapter under /reference/adapters/....

Suspicious elements checked

  • No credential/checkout form: In the provided HTML/OCR, there is no login, password, OTP, or credential input—only navigation/search UI and documentation text.
  • No urgency or fake security warnings: The OCR contains technical guidance (e.g., “hermes_local runs Hermes Agent…”, “When To Use/When Not To Use”, configuration fields), with no account-compromise alerts, “verify now,” or threat banners.
  • No mismatched branding / impersonation: Branding is consistent across header elements and text: “Paperclip”, “Docs”, and links to Paperclip-owned destinations like https://paperclip.ing/blog and the GitHub repo paperclipai/paperclip.
  • URL/domain consistency: The URL is https://docs.paperclip.ing/..., which is a plausible subdomain for Paperclip documentation and aligns with the on-page brand.
  • No suspicious redirect indicators: The HTML shows standard internal hash routing (/#/...) and normal external links (e.g., GitHub) without obvious redirect patterns.

Brand & domain relation

Identified brand: Paperclip. The URL host docs.paperclip.ing matches the brand’s domain (paperclip.ing), and the page header reinforces Paperclip branding.

Conclusion

Based on the absence of credential collection, absence of coercive social-engineering language, and strong brand/URL consistency, this appears to be legitimate documentation rather than a phishing page.