Mind Your HEARTBEAT! Claw Background Execution Inherently Enables Silent Memory Pollution

TL;DR

This paper reveals a security flaw in Claw AI agents where background content can silently pollute memory and influence behavior without user awareness, highlighting risks of misinformation in shared session architectures.

Contribution

It formalizes the memory pollution pathway in Claw agents, demonstrates its impact with experiments, and emphasizes the threat of ordinary misinformation without prompt injection.

Findings

Misleading content can influence behavior with up to 61% credibility perception.

Memory pollution can reach 91% into long-term memory, affecting behavior across sessions.

Content dilution and pruning do not fully prevent pollution crossing session boundaries.

Abstract

We identify a critical security vulnerability in mainstream Claw personal AI agents: untrusted content encountered during heartbeat-driven background execution can silently pollute agent memory and subsequently influence user-facing behavior without the user's awareness. This vulnerability arises from an architectural design shared across the Claw ecosystem: heartbeat background execution runs in the same session as user-facing conversation, so content ingested from any external source monitored in the background (including email, message channels, news feeds, code repositories, and social platforms) can enter the same memory context used for foreground interaction, often with limited user visibility and without clear source provenance. We formalize this process as an Exposure (E) $\rightarrow$ Memory (M) $\rightarrow$ Behavior (B) pathway: misinformation encountered during heartbeat execution enters the agent's short-term session context, potentially gets written into long-term memory, and later shapes downstream user-facing behavior. We instantiate this pathway in an agent-native social setting using MissClaw, a controlled research replica of Moltbook. We find that (1) social credibility cues, especially perceived consensus, are the dominant driver of short-term behavioral influence, with misleading rates up to 61%; (2) routine memory-saving behavior can promote short-term pollution into durable long-term memory at rates up to 91%, with cross-session behavioral influence reaching 76%; (3) under naturalistic browsing with content dilution and context pruning, pollution still crosses session boundaries. Overall, prompt injection is not required: ordinary social misinformation is sufficient to silently shape agent memory and behavior under heartbeat-driven background execution.