Mind Your HEARTBEAT! Claw Background Execution Inherently Enables Silent Memory Pollution

Abstract

We identify a critical security vulnerability in mainstream Claw personal AI agents: untrusted content encountered during heartbeat-driven background execution can silently pollute agent memory and subsequently influence user-facing behavior without the user's awareness. This vulnerability arises from an architectural design shared across the Claw ecosystem: heartbeat background execution runs in the same session as user-facing conversation, so content ingested from any external source monitored in the background (including email, message channels, news feeds, code repositories, and social platforms) can enter the same memory context used for foreground interaction, often with limited user visibility and without clear source provenance. We formalize this process as an Exposure (E) $\rightarrow$ Memory (M) $\rightarrow$ Behavior (B) pathway: misinformation encountered during heartbeat execution enters the agent's short-term session context, potentially gets written into long-term memory, and later shapes downstream user-facing behavior. We instantiate this pathway in an agent-native social setting using MissClaw, a controlled research replica of Moltbook. We find that (1) social credibility cues, especially perceived consensus, are the dominant driver of short-term behavioral influence, with misleading rates up to 61%; (2) routine memory-saving behavior can promote short-term pollution into durable long-term memory at rates up to 91%, with cross-session behavioral influence reaching 76%; (3) under naturalistic browsing with content dilution and context pruning, pollution still crosses session boundaries. Overall, prompt injection is not required: ordinary social misinformation is sufficient to silently shape agent memory and behavior under heartbeat-driven background execution.

Figures (6)

• Figure 1: Shared-context execution in Claw systems. Different Claw variants all use heartbeat to periodically monitor external sources. Content encountered during background monitoring enters the same session context used for foreground user interaction, even though much of this background processing may not be explicitly surfaced to the user.
• Figure 2: User-Initiated Retrieval vs. Heartbeat Background Ingestion. In the tool-call path (left), the agent searches on behalf of a live user query. Poisoned content is likely returned with a reference, giving the user a chance to inspect and reject it. In the heartbeat path (right), the agent encounters the same poisoned content during unsupervised background activity. The content is absorbed into long-term memory, its provenance is lost (source laundering), and it later resurfaces as authoritative "own knowledge", making the user more likely to trust and act on it.
• Figure 3: Illustration of how misinformation encountered during heartbeat-driven background execution pollutes the agent's memory context and later influences behavior through short-term persistence in a shared session (left) and long-term persistence across sessions (right).
• Figure 4: Overview of the three evaluation procedures. Study 1 measures same-session carry-over by evaluating ASR immediately after heartbeat exposure. Studies 2 and 3 are filled with random tasks before save prompting, we first measure whether polluted content is saved, then evaluate downstream ASR in a fresh session. Study 3 replaces directed single-post exposure with diluted exposure inside a larger feed.
• Figure 5: Study 1 results under different authority--consensus combinations. Left: ASRs across social-signal conditions. Right: domain-level ASRs. A/B denotes authority/consensus, and 1/2 denotes presence/absence of the cue. Each half compares downstream attack success with and without web_search.