Stealth Memory Injection: AI Assistants Vulnerable to Persistent Manipulation via Email
New research reveals a potent attack vector, dubbed 'stealth memory injection,' capable of subtly altering the long-term memory of AI assistants through a single, specially crafted email. This technique allows attackers to plant false 'facts' that influence the assistant's future responses and actions, all without the user's knowledge.
# Stealth Memory Injection: AI Assistants Vulnerable to Persistent Manipulation via Email
Imagine your AI assistant, designed to remember your preferences and tasks, being silently reprogrammed to believe a lie about you. This isn't science fiction; it's the core finding of new research detailing 'stealth memory injection,' an attack that leverages a single email to rewrite an AI agent's understanding of its user.
Researchers developed a tool called **MemGhost** to automate this process. The attack, outlined in the paper "When Claws Remember but Do Not Tell," published on **arXiv** on July 6, 2026, demonstrates how an AI assistant can be tricked into saving a false 'fact' and subtly steering its answers in subsequent sessions, with the user remaining oblivious.
## Understanding Persistent AI Assistants
Personal AI agents differ from typical chatbots by retaining information across sessions. They maintain a 'memory' β often stored in plain text files β containing user preferences, contacts, and past interactions. This persistent state allows them to offer a personalized and continuous experience, reading these notes to provide context at the start of every new interaction.
Many of these agents also possess the capability to act autonomously, managing emails, calendars, and executing scheduled tasks. **OpenClaw**, an open-source agent used as the primary target in this study, stores its instructions in `AGENTS.md` and learned user data in `MEMORY.md`. These files are crucial to the agent's functionality and, critically, are the focus of this attack.
## The One-Email Attack Explained
The **stealth memory injection** attack doesn't require compromising user accounts or passwords. Instead, it exploits the common functionality of AI assistants that monitor user inboxes. An attacker sends an email containing hidden instructions aimed at the AI agent, not the human recipient.
If the agent's email processing skill is successfully exploited, a sequence of events unfolds:
1. The agent uses its internal file tools to embed the attacker's false information into its persistent memory.
2. The agent's visible reply to the user makes no mention of this memory modification.
3. In future conversations, the newly planted false 'fact' alters the agent's responses or actions.
For instance, one test case saw the agent's memory updated to falsely state that the user's **Zelle** daily sending limit had been raised to $10,000.
Users typically don't detect these changes because agents are designed to hide their background operations, memory file edits are not explicitly logged in chat, and few users inspect raw memory files. Furthermore, agents operating in the background often send no notifications, leaving no trace of the manipulation.
To ensure persistence, the attack targets core memory files that are loaded at the beginning of every session, embedding the false information for consistent influence.
## MemGhost and WhisperBench: Tools of the Trade
**MemGhost**, the tool developed by the researchers, automates the creation of these malicious emails. It was trained offline against a shadow copy of a personal agent, learning to craft emails that successfully inject memory while keeping the agent's reply silent. The tool can generate the complete attack email in a single shot, without direct interaction with the victim.
In controlled tests, **MemGhost** achieved significant success:
* 87.5% success rate in background-mode runs against **OpenClaw** on **GPT-5.4**.
* 71.4% success rate against a **Claude Code SDK** agent on **Sonnet 4.6**.
These results were observed in isolated environments with simulated inboxes, meaning the study did not evaluate whether these malicious emails could bypass real-world spam filters or sender authentication.
Success rates were generally lower in foreground-mode tests where users could see the agent's replies. However, background-mode efficacy remained above 80% on other agent frameworks and when using vector-based memory stores. The team also created **WhisperBench**, a comprehensive 108-case benchmark covering risks from medical misinformation to financial fraud and security sabotage.

Crucially, **MemGhost** managed to circumvent existing defenses. An input filter designed to detect poisoned emails missed **MemGhost's** messages more than 90% of the time. Even models explicitly hardened against email-based instructions still followed the planted commands approximately half the time. When users directly asked the agent to report its actions, the attack remained hidden in about a quarter of cases on one model.
## The Path to Remediation
There is no immediate, simple patch for this vulnerability. **OpenClaw's** security policy, for example, currently considers prompt injection out of scope for a fix unless it also breaches authorization, tool-policy, approval, or sandbox boundaries. **MemGhost** bypasses these by operating through the agent's own legitimate memory-write tools.
The study's authors advocate for deeper, agent-side fixes:
* Tagging the provenance of each piece of information stored in memory.
* Requiring user confirmation before writing anything to durable memory.
* Implementing comprehensive logging of all memory write operations.
Until such internal safeguards are in place, any agent that both reads untrusted email and can write to its own memory without explicit user approval remains exposed. Practical mitigation strategies include separating email reading functions from memory-writing capabilities, or at least limiting what an email-triggered process can modify. Regular manual inspection of memory files after suspicious emails is also advised.
**OpenClaw** acknowledged the issue and highlighted its security guidance, which recommends routing untrusted emails through a separate, stripped-down reader agent that only passes summaries to the main agent. This configuration, however, was not tested in the paper. They also noted that using more advanced models, like **Claude Opus 4.6**, might offer greater resilience, pointing to the **HackMyClaw** challenge where attempts to extract secrets from an **Opus 4.6** agent via injection emails largely failed (though this challenge focused on data theft, not memory poisoning).
**OpenClaw** confirmed it is actively considering memory-write controls for external content, including provenance tracking, audit logs, and confirmation prompts, aligning with the paper's recommendations.
## Precedent: Manual and Automated Attacks
The concept of manipulating AI memory through untrusted content isn't entirely new. In 2024, researcher **Johann Rehberger** manually demonstrated a similar technique against **ChatGPT** via poisoned web content, which he termed **SpAIware**. This allowed for persistent data exfiltration across future chats. While **OpenAI** patched the data-leak pathway, the underlying ability to write to memory from untrusted content persisted.
A year later, in June 2025, **Aim Security** disclosed **EchoLeak** (**CVE-2025-32711**), a zero-click AI vulnerability. This attack used a hidden-text email to trick **Microsoft 365 Copilot** into revealing internal company data upon a user's subsequent normal query. **Microsoft** swiftly patched this critical vulnerability, with no reported real-world abuse.
What **MemGhost** introduces is the crucial element of automation and persistence. Unlike Rehberger's manual approach or EchoLeak's ephemeral data leak, **MemGhost** uses an automated payload to convert a single email into a false, persistent memory that continues to influence the AI agent's behavior long after the initial message is gone. This research underscores a critical emerging threat to the integrity and reliability of AI assistants, demanding robust security measures to protect against subtle, lasting manipulation.