Mind Your HEARTBEAT! Claw Background Execution Inherently Enables Silent Memory Pollution
Summary: arXiv:2603.23064v2 Announce Type: replace-cross
Abstract: We identify a critical security vulnerability in mainstream Claw personal AI agents: untrusted content encountered during heartbeat-driven background execution can silently pollute agent memory and subsequently influence user-facing behavior without the user’s awareness. This vulnerability arises from an architectural design shared across the Claw ecosystem: heartbeat background execution runs in the same session as user-facing conversation, so content ingested from any external source monitored in the background (including email, message channels, news feeds, code repositories, and social platforms) can enter the same memory context used for foreground interaction, often with limited user visibility and without clear source provenance.
We formalize this process as an Exposure (E) → Memory (M) → Behavior (B) pathway: misinformation encountered during heartbeat execution enters the agent’s short-term session context, potentially gets written into long-term memory, and later shapes downstream user-facing behavior. We instantiate this pathway in an agent-native social setting using MissClaw, a controlled research replica of Moltbook.
Key Findings
- Social Credibility Cues: Our research indicates that social credibility cues, particularly perceived consensus, are the predominant drivers of short-term behavioral influence. Misinformation can mislead users at rates up to 61%.
- Memory-Saving Behavior: Routine memory-saving behaviors can facilitate the pollution of short-term memory into durable long-term memory, with rates reaching as high as 91%. This highlights the risks of cross-session behavioral influence, which can affect up to 76% of user interactions.
- Content Dilution and Context Pruning: Even in scenarios involving naturalistic browsing, where content dilution and context pruning occur, pollution can still cross session boundaries, demonstrating the pervasive nature of this vulnerability.
Conclusion
Overall, the findings underscore a significant security concern in the Claw ecosystem. The architecture that supports heartbeat-driven background execution is inherently flawed, allowing ordinary social misinformation to shape agent memory and behavior without any need for prompt injection. As personal AI agents become increasingly integrated into daily life, addressing this vulnerability is crucial to ensure user privacy and trust.
This research necessitates a reevaluation of how personal AI systems manage background processes and external content interactions. Developers and stakeholders in the AI industry must prioritize the creation of frameworks that can mitigate these risks, thereby protecting users from unintended behavioral influences stemming from memory pollution.