Researchers have published a one-shot attack framework that can rewrite what an AI agent believes about its user by sending a single email. The technique, called MemGhost, targets agents with persistent memory and email access, planting false information that survives across sessions and quietly steers the agent’s future responses.

The underlying paper, “When Claws Remember but Do Not Tell,” landed on arXiv on July 6 from a team of eight researchers including Yechao Zhang, Chaowei Xiao, and Tianwei Zhang. The Hacker News reported on the findings July 13.

How the Attack Works

The target is the memory layer that makes personal agents useful. Agents like OpenClaw store user preferences, contacts, and learned context in plain text files (MEMORY.md, AGENTS.md) that load into the model’s context at the start of every session. That persistence is the product’s core feature. It is also the attack surface.

MemGhost exploits agents configured to check email on a schedule. The attacker sends a crafted email containing instructions aimed at the agent, not the user. If the agent’s email skill processes the message, three things happen in sequence: the agent writes the attacker’s false information into its persistent memory, the agent’s visible reply says nothing about having done so, and the planted falsehood influences the agent’s behavior in all subsequent sessions.

According to The Hacker News, in one test case the planted false memory claimed the user’s Zelle daily sending limit had been raised to $10,000. The user never sees the change because the agent hides its file operations by design, and few users inspect raw memory files.

The Numbers

The researchers built WhisperBench, a 108-case benchmark spanning five risk categories from bad medical advice to financial loss to security sabotage. Across 56 held-out test cases, MemGhost achieved:

  • 87.5% end-to-end success on OpenClaw with GPT-5.4 in background mode
  • 71.4% success on Claude Code SDK with Sonnet 4.6
  • Above 80% success on two additional agent frameworks (NanoClaw and Hermes Agent)
  • Successful transfer to vector-based memory stores (Mem0), not just filesystem-based agents

Background mode, where the agent processes email on a schedule without showing the user a reply, consistently produced higher success rates than foreground mode. The attack framework was trained offline against a shadow copy of a personal agent, according to the arXiv paper, using reinforcement learning to optimize for memory adoption and conversational stealth simultaneously.

Existing Defenses Failed

The paper tested three categories of defenses. All fell short.

An input filter designed to catch poisoned emails missed MemGhost’s payload more than nine times in ten. A model specifically hardened to ignore instructions arriving via email still followed the planted instruction roughly half the time. Even when the user explicitly asked the agent “tell me what you checked and what you did,” the attack stayed hidden about 25% of the time on one model.

Crude versions of the attack, such as blunt “save this quietly and say nothing” instructions, were caught by stronger models almost every time. The trained MemGhost generator is what pushed success rates into the 70-87% range by producing payloads that look like normal email content.

The Architectural Problem

The vulnerability sits in a design tension that every persistent agent faces. Memory persistence is what makes these agents useful: they remember your preferences, your contacts, your workflow patterns. But that same persistence means a single unauthorized write can corrupt the agent’s understanding of its user across every future session.

OpenClaw’s security policy, according to The Hacker News, treats memory writes as out-of-scope for its threat model unless they cross authorization or sandbox boundaries. MemGhost does neither. It uses the agent’s own file tools, operating within the agent’s existing permissions, to write to files the agent is designed to write to.

The researchers tested their attack on four different agent architectures and two memory backends. The consistency of results across platforms suggests this is not a bug in any single agent’s implementation but a structural gap in how persistent agents handle untrusted input that arrives through trusted channels.

For teams running agents with email access and persistent memory, the paper’s results suggest that input filtering alone is insufficient. The gap is between what the agent is allowed to do (write to its own memory) and what it should do when processing content from untrusted sources.