Search papers, labs, and topics across Lattice.
This paper investigates the vulnerability of persistent personal agents to stealth memory injection attacks, where untrusted external content can be covertly written into an agent's long-term memory. The authors introduce WhisperBench, a comprehensive benchmark for evaluating these attacks, and propose MemGhost, a novel framework for generating one-shot payloads that successfully induce memory poisoning while remaining undetected. Results show that MemGhost achieves high success rates across various personal agent architectures and memory backends, highlighting the significant risk of long-term agent compromise through seemingly benign external interactions.
A single email can stealthily poison the memory of personal agents, leading to long-term manipulation of their behavior without detection.
Persistent personal agents combine long-term memory with access to users'external environments, enabling personalized foreground assistance and proactive background execution. This integration also creates a new path to compromise: untrusted external content can be silently written into persistent memory and later reused as trusted state. We study this threat as stealth memory injection, in which a remote black-box adversary delivers a single email payload that must induce the agent to write poisoned memory, stay hidden in the agent's response to the user, and affect future behavior. We introduce WhisperBench, a 108-case benchmark spanning five risk categories and both fact and preference poisoning. Built on a real IMAP/SMTP workflow and an authentic email agent skill, it enables full-cycle evaluation of stealth memory injection attacks. To enable this black-box attack under single-email delivery and without runtime feedback, we propose MemGhost, a one-shot payload generation framework. MemGhost uses an environment proxy to emulate persistent-agent execution and an objective proxy to convert memory adoption and conversational stealth into dense rubric-based rewards, then trains the attacker policy with supervised fine-tuning and reinforcement learning. Across 56 held-out test cases, MemGhost achieves 87.5% end-to-end success on OpenClaw with GPT-5.4 and 71.4% on Claude Code SDK with Sonnet 4.6. It also transfers across personal-agent architectures (NanoClaw and Hermes Agent) and memory backends (filesystem and vector-based Mem0), and remains effective against input-level, model-level, and system-level defenses. These results suggest that persistent memory can turn ordinary external processing into a practical pathway for long-term agent compromise.