🤖 AI Summary
Persistent personal agents, due to their long-term memory and continuous environmental interaction, are vulnerable to stealthy memory injection attacks, wherein malicious content is silently written into memory to manipulate future behavior. This work presents the first systematic characterization of this threat and introduces MemGhost, a novel attack framework that leverages an environment proxy to simulate execution and a target proxy to construct dense rewards, combining supervised fine-tuning with reinforcement learning to achieve black-box exploitation via a single email delivery. The authors also develop WhisperBench, a realistic email-based benchmark supporting diverse agent architectures (e.g., OpenClaw, Claude Code SDK), multiple memory backends (vector stores and file systems), and robustness against multi-layered defenses. Experiments demonstrate that MemGhost achieves end-to-end attack success rates of 87.5% on OpenClaw and 71.4% on Claude across 56 cases, with successful transferability to other architectures such as NanoClaw and Hermes Agent.
📝 Abstract
Persistent personal agents combine long-term memory with access to users' external environments, enabling personalized foreground assistance and proactive background execution. This integration also creates a new path to compromise: untrusted external content can be silently written into persistent memory and later reused as trusted state. We study this threat as stealth memory injection, in which a remote black-box adversary delivers a single email payload that must induce the agent to write poisoned memory, stay hidden in the agent's response to the user, and affect future behavior.
We introduce WhisperBench, a 108-case benchmark spanning five risk categories and both fact and preference poisoning. Built on a real IMAP/SMTP workflow and an authentic email agent skill, it enables full-cycle evaluation of stealth memory injection attacks. To enable this black-box attack under single-email delivery and without runtime feedback, we propose MemGhost, a one-shot payload generation framework. MemGhost uses an environment proxy to emulate persistent-agent execution and an objective proxy to convert memory adoption and conversational stealth into dense rubric-based rewards, then trains the attacker policy with supervised fine-tuning and reinforcement learning.
Across 56 held-out test cases, MemGhost achieves 87.5% end-to-end success on OpenClaw with GPT-5.4 and 71.4% on Claude Code SDK with Sonnet 4.6. It also transfers across personal-agent architectures (NanoClaw and Hermes Agent) and memory backends (filesystem and vector-based Mem0), and remains effective against input-level, model-level, and system-level defenses. These results suggest that persistent memory can turn ordinary external processing into a practical pathway for long-term agent compromise.