{"paper":{"title":"Sleeper Channels and Provenance Gates: Persistent Prompt Injection in Always-on Autonomous AI Agents","license":"http://creativecommons.org/licenses/by/4.0/","headline":"Always-on AI agents allow untrusted inputs to persist across interfaces as sleeper channels and activate later without the attacker present.","cross_cats":[],"primary_cat":"cs.CR","authors_text":"Dmitry Namiot, Narek Maloyan","submitted_at":"2026-05-13T12:57:31Z","abstract_excerpt":"Always-on AI agents (OpenClaw, Hermes Agent) run as a single persistent process under the owner's identity, folding messaging, memory, self-authored skills, scheduling, and shell into one authority boundary. This configuration opens what we call \\emph{sleeper channels}: an untrusted input to one surface persists as a memory, skill, scheduled job, or filesystem patch, then fires later through a different surface with no attacker present. Two independent axes define the class: persistence substrate and firing-separation. We walk a confused-deputy cron attack end-to-end through OpenClaw at a pinn"},"claims":{"count":4,"items":[{"kind":"strongest_claim","text":"D2 carries a soundness theorem against seven named deployment invariants. D2 keys on a canonical action-instance digest with one-shot owner attestations, defeating paraphrase laundering, multi-input grant reuse, and replay.","source":"verdict.strongest_claim","status":"machine_extracted","claim_id":"C1","attestation":"unclaimed"},{"kind":"weakest_assumption","text":"The seven deployment invariants hold in real always-on agent deployments, and one-shot owner attestations can be implemented without introducing new attack surfaces or usability issues.","source":"verdict.weakest_assumption","status":"machine_extracted","claim_id":"C2","attestation":"unclaimed"},{"kind":"one_line_summary","text":"Sleeper channels enable persistent prompt injection in always-on AI agents via persistence substrate and firing separation, countered by provenance gates using action digests and owner attestations with a soundness theorem.","source":"verdict.one_line_summary","status":"machine_extracted","claim_id":"C3","attestation":"unclaimed"},{"kind":"headline","text":"Always-on AI agents allow untrusted inputs to persist across interfaces as sleeper channels and activate later without the attacker present.","source":"verdict.pith_extraction.headline","status":"machine_extracted","claim_id":"C4","attestation":"unclaimed"}],"snapshot_sha256":"621d85129efaae8dec421b974a2c534800d77dd2f14cb9780207e9d05cda87f3"},"source":{"id":"2605.13471","kind":"arxiv","version":1},"verdict":{"id":"50e7379e-c03b-430f-98ad-8a63f0e84c72","model_set":{"reader":"grok-4.3"},"created_at":"2026-05-14T18:19:49.256458Z","strongest_claim":"D2 carries a soundness theorem against seven named deployment invariants. D2 keys on a canonical action-instance digest with one-shot owner attestations, defeating paraphrase laundering, multi-input grant reuse, and replay.","one_line_summary":"Sleeper channels enable persistent prompt injection in always-on AI agents via persistence substrate and firing separation, countered by provenance gates using action digests and owner attestations with a soundness theorem.","pipeline_version":"pith-pipeline@v0.9.0","weakest_assumption":"The seven deployment invariants hold in real always-on agent deployments, and one-shot owner attestations can be implemented without introducing new attack surfaces or usability issues.","pith_extraction_headline":"Always-on AI agents allow untrusted inputs to persist across interfaces as sleeper channels and activate later without the attacker present."},"references":{"count":38,"sample":[{"doi":"","year":2026,"title":"OpenClaw: Personal AI assistant runtime,","work_id":"a707681b-aa41-4db5-abb6-62875ea80660","ref_index":1,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":2026,"title":"Nous Research, “Hermes Agent,” https:// github.com/nousresearch/hermes-agent, commit 98d75dea5a86aec599b1e081f8bbe9170bd3f964, 2026- 04-27; releasev0.11.0, 2026-04-23, 2026","work_id":"0421fe9f-3fb8-4764-a964-820992ac08d0","ref_index":2,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":2023,"title":"Not what you've signed up for: Compromising Real-World LLM-Integrated Applications with Indirect Prompt Injection","work_id":"7a8cfce1-ada7-4a7a-8516-6f16b1bd077b","ref_index":3,"cited_arxiv_id":"2302.12173","is_internal_anchor":true},{"doi":"","year":2024,"title":"AgentDojo: A Dynamic Environment to Evaluate Prompt Injection Attacks and Defenses for LLM Agents","work_id":"7b1b672f-e6b4-4df9-aa8b-3396a2eb8b16","ref_index":4,"cited_arxiv_id":"2406.13352","is_internal_anchor":true},{"doi":"","year":2025,"title":"Memorygraft: Persistent compromise of llm agents via poisoned experience retrieval","work_id":"90120582-e1b6-45f2-af30-e61c82587d05","ref_index":5,"cited_arxiv_id":"","is_internal_anchor":false}],"resolved_work":38,"snapshot_sha256":"61a0793bb169ff3e135a426d415abc50a5b1f99bf7db58b3930cde3aa8c0e806","internal_anchors":8},"formal_canon":{"evidence_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"author_claims":{"count":0,"strong_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"builder_version":"pith-number-builder-2026-05-17-v1"}