这篇论文用Claude Code和OpenAI Codex实测了记忆注入攻击,发现一旦恶意指令写入记忆,后续会话都危险,搞AI安全的一定要看看。
该论文研究了基于记忆的智能体系统中的提示注入攻击风险,评估了Anthropic Claude Code和OpenAI Codex两个系统,以及Claude Haiku 4.5、Claude Opus 4.7、GPT-5.2和GPT-5.5四个模型。实验发现,攻击者难以让代理用不受信任的外部内容覆盖自身记忆文件,但已经植入记忆的有效载荷可成功影响当前和未来会话。攻击成功率和载荷持久性在不同系统、模型和攻击目标间差异显著。研究揭示持久记忆改变了提示注入的威胁模型,需设计保护记忆更新的防御机制。
Bad Memory: Evaluating Prompt Injection Risks from Memory in Agentic Systems
A growing class of agentic systems maintain persistent state across sessions through memory files, behavioral preferences, and knowledge bases. While this makes agents more useful and self-improving, it also creates a new attack surface for prompt injections in which malicious instructions can be embedded within persistent files and influence future behavior. In this work, we study prompt injection attacks in memory-based agentic systems using a sandboxed synthetic workspace. We evaluate two agentic systems, Anthropic Claude Code and OpenAI Codex, across four models: Claude Haiku 4.5, Claude Opus 4.7, GPT-5.2, and GPT-5.5. Our results show that although it is difficult to make an agent overwrite its own memory files using untrusted external content, payloads already planted in those files can successfully attack current and future sessions. Attack success and payload persistence vary substantially across systems, models, adversarial goals, and multi-session attack sequences. These findings show that persistent memory changes the threat model for prompt injection and motivate defenses that protect memory updates without removing useful agent adaptation.