When Claws Remember but Do Not Tell: Stealthy Memory Injection in Persistent Personal Agents
2026-07-06 • Cryptography and Security
Cryptography and SecurityArtificial Intelligence
AI summaryⓘ
The authors study how smart personal assistant programs that remember things long-term can be tricked by a single malicious email. This email can secretly make the assistant store bad information and then use it later without the user noticing. They created a test set called WhisperBench to evaluate these attacks and developed a tool named MemGhost to automatically craft such tricky emails. Their method worked well across different assistant systems and memory types, even when defenses were used. This shows that long-term memory in these assistants can be a weak point if external content isn’t carefully checked.
persistent personal agentslong-term memorystealth memory injectionblack-box attackIMAP/SMTPreinforcement learningsupervised fine-tuningmemory poisoningconversational agentsagent compromise
Authors
Yechao Zhang, Shiqian Zhao, Jiawen Zhang, Jie Zhang, Gelei Deng, Xiaogeng Liu, Chaowei Xiao, Tianwei Zhang
Abstract
Persistent personal agents combine long-term memory with access to users' external environments, enabling personalized foreground assistance and proactive background execution. This integration also creates a new path to compromise: untrusted external content can be silently written into persistent memory and later reused as trusted state. We study this threat as stealth memory injection, in which a remote black-box adversary delivers a single email payload that must induce the agent to write poisoned memory, stay hidden in the agent's response to the user, and affect future behavior. We introduce WhisperBench, a 108-case benchmark spanning five risk categories and both fact and preference poisoning. Built on a real IMAP/SMTP workflow and an authentic email agent skill, it enables full-cycle evaluation of stealth memory injection attacks. To enable this black-box attack under single-email delivery and without runtime feedback, we propose MemGhost, a one-shot payload generation framework. MemGhost uses an environment proxy to emulate persistent-agent execution and an objective proxy to convert memory adoption and conversational stealth into dense rubric-based rewards, then trains the attacker policy with supervised fine-tuning and reinforcement learning. Across 56 held-out test cases, MemGhost achieves 87.5% end-to-end success on OpenClaw with GPT-5.4 and 71.4% on Claude Code SDK with Sonnet 4.6. It also transfers across personal-agent architectures (NanoClaw and Hermes Agent) and memory backends (filesystem and vector-based Mem0), and remains effective against input-level, model-level, and system-level defenses. These results suggest that persistent memory can turn ordinary external processing into a practical pathway for long-term agent compromise.