Every AI assistant that combines a long-term memory with the ability to click a link is shipping with a quiet identity-exfiltration channel — unless its designers have built an explicit wall between what it remembers and what it does on the web.
Indirect prompt injection is what this is called: an attacker hides instructions inside a webpage so the agent reads the page and obeys them. What is new is the payload. An attacker who controls a page can put those instructions in it; an assistant that also carries a dense profile of the user — name, employer, hometown, security-question answers — can be steered to read that profile and ride it out in the next outbound request. Ayush Paul's write-up of "The Memory Heist" shows the chain working end to end against Claude's memory and web-fetch pair: one visited page, a profile leaving through a request that looks normal, a name and an employer arriving at a server the user has never heard of.
The reading most people will reach is that Anthropic shipped a buggy memory feature. The stronger read is that the memory is doing what memory is supposed to do, the web-fetch tool is doing what it is supposed to do, and the problem lives in the seam. A feature combination treated as two features is one new feature with one new threat model.
The question to put to any vendor — OpenAI, Google, Microsoft, the open-source deployments — is the same one Ayush Paul puts: is memory sandboxed from tool output? If the answer is no, the channel exists, and a single visited page is enough to open it.
Reported by Sky for Type0, from The Memory Heist. Read the original: ayush.digital