An Email Rewrites the Memory of the AI Agent, and No One Notices
Overview
A single email is enough to convince a personal AI agent to write false information about the user into its memory, keep it hidden in its response, and reuse it to guide its behavior in subsequent sessions. This is the result of a study published on arXiv on July 6, titled When Claws Remember but Do Not Tell, which coins the technique stealth memory injection and accompanies it with a tool capable of automatically generating attack emails.
The target is a growing category of assistants: persistent personal agents that combine long-term memory with access to the user's environment. Unlike a chatbot that forgets everything at the end of a conversation, these agents retain notes on preferences, contacts, and tasks in files that they review at the beginning of each new session, giving the impression that they know their users. Many can also act autonomously: reading emails, checking calendars, performing small planned tasks while the user is elsewhere.
The main target of the study is OpenClaw, an open source agent that maintains this state in simple text files: some contain permanent instructions (AGENTS.md), while others hold what the agent has learned about the user (MEMORY.md). At the start of each session, the main files are loaded into the model context. They are the very value of the product, and they are also its weak point.
The attacker does not need the password or account. They send an email to whoever has configured the agent to check the inbox, a routine operation for these assistants. Hidden in the text is a command directed at the assistant, not the human recipient. If the email management skill bites, three things happen sequentially: the agent uses its own file-writing tools to save the false note in persistent memory, the visible response contains no mention of it, and in a subsequent conversation, that note alters what the assistant says or does. In one test case, the planted lie was that the user's daily Zelle sending limit had been increased to $10,000.
The tampering goes unnoticed for several converging reasons. The assistant conceals the intermediate steps by design, so the moment it modifies a file never appears in the chat; few users open the raw memory files to reread them; and when the agent runs in the background on scheduling, it often sends no messages, so there’s nothing to notice. To ensure the poisoning takes hold, the tool directs it to the main files loaded at each session, so a single write enters all future sessions.
Advanced Attacker Training
The rudimentary versions of the trick almost always fail: a simple “save this secretly” and say nothing was intercepted or ignored by the more capable models nearly every time. The game-changer is MemGhost, the payload generation framework. The researchers trained an attacking model offline against a shadow copy of a personal agent, using an environment proxy to emulate execution and a target proxy to translate memory adoption and conversational stealth into dense rewards based on a scoring rubric, using a combination of supervised fine-tuning and reinforcement learning. At the time of the attack, the system writes the final email in a single pass, with no exchange with the victim.
On the experimental setup, the authors built WhisperBench, a benchmark of 108 cases covering five risk categories, from incorrect medical advice to financial loss and even security sabotage, distinguishing factual poisoning from preferences poisoning, all on a real IMAP/SMTP stream and an authentic mail skill.
Out of 56 reserved test cases, MemGhost completes the entire attack (planting false memory, concealment, and response diversion in a subsequent session) in 87.5% of cases against OpenClaw based on GPT-5.4, and in 71.4% against a Claude Code SDK agent on Sonnet 4.6. The technique transfers to other architectures, NanoClaw and Hermes Agent, and to other memory backends, from files to the vector database Mem0, and remains effective against input-level, model-level, and system-level defenses. The rate drops when the agent operates in the foreground, where the user can see the response; in the background, it remains above 80% on two additional frameworks and on the vector archive.
The researchers specifically tested the countermeasures designed for this type of attack. An entry filter built to intercept poisoned emails missed MemGhost’s message more than nine times out of ten; a robust model intended to ignore instructions arriving via email still followed the planted one about half the time. Even when the agent was explicitly asked to tell what it checked and what it did, in one model the attack remained hidden in about a quarter of cases.
Considerations on Findings
It should be noted that these are lab results: everything was conducted in sealed environments with fake inboxes and users, and the tests start after the email has already reached an inbox read by the agent. Thus, there is no verification of whether a real payload would get past spam filters or sender authentication.
No Quick Fix on the Horizon
There is no quick fix coming. The same security policy of OpenClaw considers prompt injection, taken alone, outside the intervention perimeter, unless it also crosses a boundary of authorization, tool policy, approval, or sandbox. MemGhost does not cross any of these, as it operates through the same write-in-memory tool of the agent.
However, OpenClaw contests the experimental setup. Its guidelines recommend passing untrusted mail through a separate reading agent, stripped of memory, file, and shell tools, which only delivers a summary to the main agent, a configuration that the study did not test. It also argues that the model level matters: tests on OpenClaw used GPT-5.4, while the authors skipped Claude Opus 4.6 for cost reasons. To support this, it cites HackMyClaw, a public challenge in which thousands of injection emails failed to extract a secret from an Opus 4.6 agent, even though that test aimed at data theft and not memory poisoning, thus not directly addressing the work. The company claims it is evaluating controls on the writing into memory of external content, including provenance, audit logs, and confirmation requests.
The authors argue that the correction must live within the agent: label the provenance of every piece of information, ask the user for confirmation before anything reaches durable memory, record every writing. The net countermeasure is to keep the two tasks separate, reading untrusted mail and writing to its own memory. Until something like that arrives, any agent that does both without asking remains exposed.
There was a precedent. In 2024, researcher Johann Rehberger manually demonstrated the same move against ChatGPT, planting instructions in long-term memory through poisoned web content: he called it SpAIware. OpenAI closed the data escape route, but the possibility of writing to memory from untrusted content remained. A year later, the idea reached a commercial product with EchoLeak (CVE-2025-32711), disclosed by Aim Security in June 2025: a single email with hidden text induced Microsoft 365 Copilot to deliver internal corporate data when the user asked it any question later. Microsoft classified it as critical and fixed it, with no actual abuse reported. What MemGhost adds is persistence: where previous versions had to be manually planted or stole data only at the moment of request, here an automatic payload transforms an email into a false memory that remains and continues to guide sessions.