The Memory Heist
Strong concrete example of why agent safety is mostly about tool composition and trust boundaries, not just whether any single feature looks harmless in isolation.
Logged at IST: 2026-07-15 13:30 IST
What it is: Ayush Paul’s writeup on prompt-injecting Claude’s memory and browsing system into exfiltrating personal data
Gist: The attack chain was not about breaking the memory store directly, but about combining long-lived personal memory with a browsing agent that could be socially engineered into leaking data through link-by-link URL navigation. The important point is that once an assistant can search history, infer missing details, and autonomously browse attacker-controlled pages, "read-only" web access can still become an exfiltration channel.
Newsletter angle: Strong concrete example of why agent safety is mostly about tool composition and trust boundaries, not just whether any single feature looks harmless in isolation.