Mind Your HEARTBEAT! Claw Background Execution Inherently Enables Silent Memory Pollution

Abstract: We identify a critical security vulnerability in mainstream Claw personal AI agents: untrusted content encountered during heartbeat-driven background execution can silently pollute agent memory and subsequently influence user-facing behavior without the user's awareness. This vulnerability arises from an architectural design shared across the Claw ecosystem: heartbeat background execution runs in the same session as user-facing conversation, so content ingested from any external source monitored in the background (including email, message channels, news feeds, code repositories, and social platforms) can enter the same memory context used for foreground interaction, often with limited user visibility and without clear source provenance. We formalize this process as an Exposure (E) $\rightarrow$ Memory (M) $\rightarrow$ Behavior (B) pathway: misinformation encountered during heartbeat execution enters the agent's short-term session context, potentially gets written into long-term memory, and later shapes downstream user-facing behavior. We instantiate this pathway in an agent-native social setting using MissClaw, a controlled research replica of Moltbook. We find that (1) social credibility cues, especially perceived consensus, are the dominant driver of short-term behavioral influence, with misleading rates up to 61%; (2) routine memory-saving behavior can promote short-term pollution into durable long-term memory at rates up to 91%, with cross-session behavioral influence reaching 76%; (3) under naturalistic browsing with content dilution and context pruning, pollution still crosses session boundaries. Overall, prompt injection is not required: ordinary social misinformation is sufficient to silently shape agent memory and behavior under heartbeat-driven background execution.

• The paper presents the E->M->B pathway, showing how misinformation during heartbeat execution infiltrates persistent memory in Claw systems.
• Empirical evaluations using the MissClaw environment demonstrate that misinformation impacts behavior immediately by up to 61% and across sessions by up to 76%.
• The study recommends isolating session contexts, ensuring source provenance, and enhancing context management to mitigate silent memory pollution vulnerabilities.

Silent Memory Pollution in Claw AI Systems: A Security Vulnerability Analysis

Introduction

The paper "Mind Your HEARTBEAT! Claw Background Execution Inherently Enables Silent Memory Pollution" (2603.23064) presents a comprehensive analysis of a critical security vulnerability in Claw-based personal AI agents. These agents, which operate under a framework that includes heartbeat-driven background execution, are vulnerable to silent memory pollution. This occurs when misinformation encountered during heartbeat execution enters the agent's shared memory context and influences behavior without the user's knowledge. The paper introduces the Exposure (E) -> Memory (M) -> Behavior (B) pathway as a framework for understanding how misinformation spreads through Claw systems.

Claw System Architecture and Vulnerability

Claw systems are characterized by persistent memory, tool invocation, and integration with messaging channels. They operate through a tool-augmented language-agent loop, driven by heartbeat execution that wakes the agent to monitor and act on external content without explicit user prompts. A key vulnerability arises from the shared-session model, where background and user-facing sessions are not isolated. As a result, content encountered during background execution is processed in the same memory context, creating a pathway for misinformation to enter and persist in the system.

Empirical Evaluation

The researchers developed MissClaw, a controlled experimental environment, to evaluate the E->M->B pathway across different domains: software security, financial decision-making, and academic references. The study found that social credibility cues, especially perceived consensus, significantly influence agent behavior, with misinformation immediately affecting future actions at rates up to 61%. Routine memory-saving behavior can inadvertently transition short-term pollution into long-term memory, with cross-session behavioral influence as high as 76%. Even under realistic conditions with content dilution, polluted content can persist, indicating inadequate defenses within the system's context management.

Implications and Recommendations

The findings highlight a fundamental security risk in heartbeat-driven background execution. The vulnerability lies not in explicit prompt injection but in the subtle absorption of social misinformation. The E->M->B pathway demonstrates that agents are susceptible to misinformation entering and persisting in memory, which can later influence behavior. This vulnerability emphasizes the need for improved security mechanisms in Claw systems, such as source provenance for memory entries, isolated session contexts for heartbeat execution, and more effective context management to prevent silent memory pollution.

Conclusion

The paper identifies a critical architectural vulnerability in Claw-based AI agents, where heartbeat-driven background execution enables silent memory pollution through the E->M->B pathway. This research underscores the importance of addressing memory persistence and source visibility as core security concerns in developing trustworthy persistent agents. The findings provide essential insights into the design choices that exacerbate security vulnerabilities and offer guidance for mitigating risks associated with heartbeat-driven execution in AI systems.