Give an AI assistant a memory and access to your inbox, and you hand an attacker a way to rewrite what it thinks it knows about you. A single email can trick that agent into saving a false “fact” about the user, hide the change, and quietly steer its answers in later sessions.
When it works, the person reads an ordinary-looking reply and never learns their assistant was tampered with.
The researchers named the attack stealth memory injection and built a tool that writes the emails automatically. The paper, “When Claws Remember but Do Not Tell,” landed on arXiv on 6 July 2026.
First, what these assistants do
A personal agent is an AI assistant that sticks around. Instead of forgetting everything when a chat ends, it keeps notes about you in files: your preferences, your contacts, and what you asked it to do. It reads those notes at the start of every new session, which is why it feels like it knows you.
Many of these agents can also act for you, reading your email, checking your calendar, and running small jobs on a schedule while you are away.
OpenClaw, the open-source agent used as the study’s primary target, keeps this state in plain text files: some hold its standing instructions (AGENTS.md), some hold what it has learned about you (MEMORY.md). It pulls the core ones into the model’s context at the start of every session.
Those notes are the whole point of the product. They are also the target.
The one-email attack
The attacker does not need your password or your account. They send an email to someone whose agent is set up to check their inbox, which, for these assistants, is a routine job. Buried in that email is text aimed at the assistant, not you.
If the agent’s email skill takes the bait, three things happen in a row. The agent uses its own file tools to write the attacker’s false note into its persistent memory. Its visible reply says nothing about having done so. And later, in a fresh conversation, that false note changes what it tells you or does for you.
In one of the study’s test cases, the planted lie was that the user’s Zelle daily sending limit had been raised to $10,000.
You do not catch the change for a few reasons. The assistant hides its behind-the-scenes steps by design, so the moment it edits a file never shows up in the chat. Few users ever open the raw memory files to read them. And when the agent runs on a schedule in the background, it often sends no message at all, so there is nothing to notice.
To make the poison stick, the tool aims it at the core files that load every session, so a single write is loaded into every later session instead of waiting to be pulled from a separate memory store.
The attack is generated by a tool the researchers call MemGhost. Its makers trained an attacker model offline against a shadow copy of a personal agent, rewarding emails that got the memory saved while keeping the reply quiet. At attack time, it writes the finished email in one shot, with no back-and-forth…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
