Memory Poisoning as Attack Surface
https://simonwillison.net/2025/Sep/18/agents/
Agent persistent memory is an attack surface: an adversarial document in the environment can instruct the agent's memory tool to write malicious facts, poisoning the long-term store. The more capable the memory system, the larger the injection surface. Conversation history is memory's first-class form; long-term memory is "an extra set of tools."
At a glance
- Type
- Security framing
- Tier
- T5
- Created
- 2024 (AgentPoison NeurIPS 2024; Lakera blog Nov 2025; concept crystallised 2024 with AgentPoison paper)
- Latest release
- not applicable — not OSS
- License
- not applicable — not OSS
- GitHub
- not applicable — no GitHub repo
- Pricing
- not applicable — not commercial
- Funding
- not applicable — not commercial
Taxonomy
- storage
- n/a
- retrieval
- n/a
- persistence
- n/a
- update
- n/a
- unit
- n/a
- governance
- n/a
- conflict
- n/a
When to use
Optimised for: not applicable - theoretical / not a system
Anti-fit: not applicable - theoretical / not a system
Pros & cons
Pros
Frames agent persistent memory as a first-class attack surface; widely cited by security practitioners; ongoing series.
Cons
Blog framing; provides analysis but does not specify concrete countermeasures.
Claims & capabilities
Simon Willison (creator of Datasette, coined "prompt injection"), Sept 2025 + ongoing series.
Technical surface
- API surface
- not applicable — theoretical / not a system
- Backend storage
- not applicable — theoretical / not a system
- Deployment
- not applicable — not a deployable product
- Embedding model
- not applicable — theoretical / not a system
- Multi-tenancy
- not applicable — theoretical / not a system
- MCP
- not applicable — theoretical / informal idea
- A2A
- not applicable — theoretical / informal idea
- OpenTelemetry
- not applicable — theoretical / informal idea
Similar systems
Other theoretical / informal — ideas without a paper in the catalog, ranked by inbound references.
- From Human Memory to AI Memory (survey) T4
Eight-quadrant classification grid across personal/system, parametric/non-parametric, and short-term/long-term axes. Bridges cognitive-science memory taxonomy to LLM architecture choices, less common than purely engineering-oriented surveys. v2 revision April 23, 2025.
- Context Engineering T5
"+1 for 'context engineering' over 'prompt engineering' … the delicate art and science of filling the context window with just the right information for the next step." The LLM is "a coworker with anterograde amnesia" — cannot consolidate or build long-running knowledge once training ends.
- Context Engineering — naming event T5
Endorses "context engineering" as a distinct discipline from prompt engineering — what agents do with their context window (routing, compression, tool output formatting, memory retrieval injection) is engineering, not just prompting.
- Context Expansion Law T5
"Application context tends to expand to fill the context limits supported by the model." Treats agent memory as a first-class unresolved design problem rather than a solved component; explicitly defers a memory deep-dive to a future post.
- Externalization in LLM Agents T4
Traces the shift from weights-as-capability to harness-as-capability; analyzes memory, skills, and protocols as three coupled forms of externalization and examines how they interact. Memory is defined as the externalization of state across time. Covers self-evolving harnesses and shared agent infrastructure as emerging directions. April 9, 2026.
- Files Are All You Need T5
Coding agents (Claude Code, Cursor) converge on the filesystem as their primary memory abstraction: conversation histories as searchable files, skills as files, retrieval via file search rather than vector DBs. Argument: LLMs are fluent with filesystem concepts, so the filesystem is the right interface even if storage underneath is a database.