Skip to content
AI Security Wire

Published

- 6 min read

By

MemGhost: One Email Can Plant a Persistent False Memory in Your AI Agent

img of MemGhost: One Email Can Plant a Persistent False Memory in Your AI Agent

A paper published on arXiv on July 6 describes an automated attack that can turn a single email into a persistent lie inside an AI agent, one that skews answers, steers financial decisions, and never shows up in the chat log. The researchers call it MemGhost. The underlying technique is stealth memory injection: coerce an agent into writing an attacker-chosen fact into its durable memory, suppress the visible reply about having done so, and the false context loads into every subsequent session automatically.

This is not a theoretical primitive. MemGhost succeeded in 87.5% of background-mode test runs against OpenClaw on GPT-5.4, and in 71.4% of runs against a Claude Code SDK agent on Sonnet 4.6.

How the Attack Works

Personal AI agents like OpenClaw are built around persistence. They keep notes about you in plain text files: standing instructions (AGENTS.md), things they’ve learned (MEMORY.md), scheduled tasks, contact details. At the start of every session, the agent loads those files into context. That’s the product feature. It’s also the attack surface.

MemGhost exploits two properties together. First, agents with email access routinely process messages from strangers as part of normal operation. Second, those same agents have file-write tools they use to update their own memory.

When the attack email reaches an inbox the agent monitors, it carries instructions aimed at the agent, not the human recipient. If the agent takes the bait, three things happen in sequence: it writes the attacker’s chosen false fact into its persistent memory files, it produces a reply that says nothing about having done so, and from that point forward, every new session starts with the planted lie already loaded.

The study included a concrete scenario. One planted memory told the agent that the user’s Zelle daily sending limit had been raised to $10,000. The user sees an ordinary-looking reply to the email. The agent acts on the false limit in later conversations. Nobody is prompted to approve the memory change.

Why Blunt Attacks Fail and MemGhost Doesn’t

Earlier versions of the same idea largely fail against capable models. A direct instruction like “save this quietly and say nothing” is caught or ignored by strong models the vast majority of the time. What MemGhost adds is a training step.

The researchers trained an attacker model offline against a shadow copy of a personal agent, rewarding it for emails that planted the lie and kept the visible reply clean. At attack time, it generates the finished email in one forward pass. No iterative back-and-forth with the victim system. No obvious adversarial structure in the output.

That trained generator is what pushed success rates above 70%. The email it produces looks ordinary to a human and to most automated filters. The study found that an input filter built specifically to catch poisoned emails missed MemGhost’s messages more than nine times in ten. A model hardened against email-embedded instructions still followed the planted one about half the time. Even when the user directly asked the agent to recount everything it had checked and done, the attack stayed hidden roughly a quarter of the time on one model.

Persistence Is What Makes This Different

Memory poisoning in AI agents has precedent. Johann Rehberger demonstrated in 2024 that ChatGPT’s long-term memory could be written from poisoned web content, causing the model to leak user data across future sessions. He called it SpAIware. EchoLeak (CVE-2025-32711), disclosed by Aim Security in June 2025, used a hidden-text email to make Microsoft 365 Copilot exfiltrate internal company data the next time the user asked a normal question. Microsoft rated it critical and patched the specific exfiltration path.

Both those attacks required either manual crafting or exploited moment-of-interaction data leakage. MemGhost automates generation, and its payload targets the core files that load at session start. One successful write repeats its effect indefinitely, across every future conversation, until someone opens the memory files and manually removes the poison.

The researchers built WhisperBench, a 108-case evaluation framework covering false facts about medical advice, financial information, and security-relevant context, to measure impact across harm categories. Background-mode results stayed above 80% on two additional agent frameworks beyond OpenClaw and on a vector-based memory store as well as plain files. The attack is not specific to a single implementation choice.

What OpenClaw Said

OpenClaw responded to the research. Its security guidance already recommends routing untrusted email through a separate reader agent stripped of memory, file, and shell tools, passing only a summary to the main agent. The paper did not test that isolation architecture.

OpenClaw also pointed to HackMyClaw, a public challenge where thousands of injection-attempt emails failed to extract a secret from an Opus 4.6 agent. The researchers acknowledge skipping Opus 4.6 for cost reasons, and OpenClaw argues that model tier matters more than the paper’s framing suggests. The HackMyClaw comparison targets data exfiltration rather than memory poisoning, so it doesn’t directly answer the paper’s claims, but the gap is worth noting.

OpenClaw said it is evaluating memory-write controls for external content, including provenance tracking, audit logs, and confirmation prompts, in the same direction the paper recommends. The paper’s authors said they plan to disclose their attack patterns and WhisperBench to affected agent developers and model providers.

Defensive Controls for Agent Operators

The attack requires two conditions: the agent reads untrusted external email, and it can write to durable memory without user confirmation. Removing either condition removes the attack.

Separate email access from memory writes. An agent configured to read email should not be able to call memory-write tools in the same execution context. OpenClaw’s recommended architecture reflects this. If your deployment can’t implement full separation, apply an approval gate specifically to memory-write calls that originate from external-content contexts.

Log every write with provenance. Every change to a persistent memory store should record what triggered it, when it happened, and what external content was in scope at the time. This is not the default in most agent deployments today.

Audit memory files after anything suspicious. Users rarely open the raw memory files their agents maintain. For any agent with significant financial or access authority, periodic review of MEMORY.md and equivalent files takes minutes and is the simplest catch for tampering that automated defenses missed.

Treat background mode with more caution. The study’s highest success rates were in background mode, where the agent runs on a schedule with no visible output. If your agent operates in this mode and reads email, the risk profile is materially higher than foreground interactive use.

The MemGhost results are lab results from sealed test environments with fake inboxes. The researchers document no exploitation against real users. The precondition, an agent with email access and writable memory, is common in production deployments of personal AI assistants, and the success rates against current frontier models are high enough that this should move from theoretical to planned-for.

The paper is “When Claws Remember but Do Not Tell,” arXiv, July 6, 2026.

Frequently Asked Questions

What makes MemGhost different from earlier memory poisoning attacks like SpAIware or EchoLeak?
SpAIware (2024) required manual setup by a researcher, and EchoLeak (CVE-2025-32711) caused in-the-moment data leakage from a single email interaction. MemGhost automates the payload generation using a trained attacker model and targets the core files loaded at the start of every agent session, so one successful write repeats its effect across all future conversations until manually corrected. The combination of automation, persistence, and silence in the visible reply is what distinguishes it.
Which AI agent setups are most exposed to MemGhost-style attacks?
Any agent that both reads untrusted external email and can write to its own durable memory without user confirmation is directly in scope. The paper used OpenClaw as the primary target, and tested a Claude Code SDK-based agent as a secondary target. Agents deployed in background or scheduled modes are more exposed because they produce no visible chat output where the user might notice suspicious tool calls.
What's the practical defensive control for teams running personal AI agents with email access?
The most targeted fix is to separate email-processing and memory-write permissions: route untrusted email through a reader agent that has no memory or file-write tools, with only a filtered summary passed onward. Where that separation isn't possible, apply an approval gate specifically to memory-write tool calls that are triggered from external content, and maintain an audit log of all writes with provenance. Periodic manual review of the agent's memory files is low-effort and catches tampering that automated defenses missed in the study.