{"ID":5937015,"CreatedAt":"2026-07-07T03:14:33.014478982Z","UpdatedAt":"2026-07-09T15:05:50.046563074Z","DeletedAt":null,"paper_url":"https://arxiv.org/abs/2607.05189","arxiv_id":"2607.05189","title":"When Claws Remember but Do Not Tell: Stealthy Memory Injection in Persistent Personal Agents","abstract":"Persistent personal agents combine long-term memory with access to users' external environments, enabling personalized foreground assistance and proactive background execution. This integration also creates a new path to compromise: untrusted external content can be silently written into persistent memory and later reused as trusted state. We study this threat as stealth memory injection, in which a remote black-box adversary delivers a single email payload that must induce the agent to write poisoned memory, stay hidden in the agent's response to the user, and affect future behavior. We introduce WhisperBench, a 108-case benchmark spanning five risk categories and both fact and preference poisoning. Built on a real IMAP/SMTP workflow and an authentic email agent skill, it enables full-cycle evaluation of stealth memory injection attacks. To enable this black-box attack under single-email delivery and without runtime feedback, we propose MemGhost, a one-shot payload generation framework. MemGhost uses an environment proxy to emulate persistent-agent execution and an objective proxy to convert memory adoption and conversational stealth into dense rubric-based rewards, then trains the attacker policy with supervised fine-tuning and reinforcement learning. Across 56 held-out test cases, MemGhost achieves 87.5% end-to-end success on OpenClaw with GPT-5.4 and 71.4% on Claude Code SDK with Sonnet 4.6. It also transfers across personal-agent architectures (NanoClaw and Hermes Agent) and memory backends (filesystem and vector-based Mem0), and remains effective against input-level, model-level, and system-level defenses. These results suggest that persistent memory can turn ordinary external processing into a practical pathway for long-term agent compromise.","short_abstract":"Persistent personal agents combine long-term memory with access to users' external environments, enabling personalized foreground assistance and proactive background execution. This integration also creates a new path to compromise: untrusted external content can be silently written into persistent memory and later reu...","url_abs":"https://arxiv.org/abs/2607.05189","url_pdf":"https://arxiv.org/pdf/2607.05189v1","authors":"[\"Yechao Zhang\",\"Shiqian Zhao\",\"Jiawen Zhang\",\"Jie Zhang\",\"Gelei Deng\",\"Xiaogeng Liu\",\"Chaowei Xiao\",\"Tianwei Zhang\"]","published":"2026-07-06T15:08:58Z","proceeding":"cs.CR","tasks":"[\"cs.CR\",\"cs.AI\"]","methods":"[\"Reinforcement Learning\"]","has_code":false}
