A proof of concept uses automated stealth memory injection against persistent personal agents, testing false-memory planting and hidden behavioral influence
Give an AI agent persistent memory and access to a user’s inbox, and you create a path for an attacker to reshape what that system believes about the user. According to a report by The Hacker News, researchers have found that a single email is enough to persuade an AI agent to store a false fact, conceal the change, and then use that poisoned memory to influence later answers or actions.
Researchers refer to this technique as “stealth memory injection”, and the work behind it appears in the paper “When Claws Remember but Do Not Tell”, which was posted to arXiv on 6 July 2026.
The attack targets personal agents, a class of AI assistants designed to retain notes about a user across sessions, including preferences, contacts, and tasks, so the assistant seems continuous rather than forgetful. The main target studied was OpenClaw, an open-source agent that stores standing instructions and learned user facts in plain text files such as AGENTS.md and MEMORY.md, then loads key items into context at the start of each session. That design helps the assistant feel personalized, but it also creates a durable place for malicious content to take root.
The researchers had used an automated framework call MemGhost to make the attack work in one shot, without interactive back-and-forth with the target. It was trained against a shadow copy of a personal agent, rewarding emails that successfully planted memory while keeping the visible reply quiet. Across 56 fresh test cases, the framework achieved full stealth-memory compromise, including false-memory planting, concealment, and later behavioral influence. It reached 87.5% success in background-mode runs against OpenClaw with GPT-5.4 and 71.4% against a Claude Code SDK agent using Sonnet 4.6.
The researchers also built a 108-case benchmark covering risks such as bad medical advice, financial harm, and security sabotage. Their broader point is that the danger is not just that AI systems can read untrusted content, but that they can store it as trusted memory without a visible approval step.
