The Memory Heist

Strong concrete example of why agent safety is mostly about tool composition and trust boundaries, not just whether any single feature looks harmless in isolation.

Original source

Logged at IST: 2026-07-15 13:30 IST

What it is: Ayush Paul’s writeup on prompt-injecting Claude’s memory and browsing system into exfiltrating personal data

Gist: The attack chain was not about breaking the memory store directly, but about combining long-lived personal memory with a browsing agent that could be socially engineered into leaking data through link-by-link URL navigation. The important point is that once an assistant can search history, infer missing details, and autonomously browse attacker-controlled pages, "read-only" web access can still become an exfiltration channel.

Newsletter angle: Strong concrete example of why agent safety is mostly about tool composition and trust boundaries, not just whether any single feature looks harmless in isolation.