pith. sign in
Pith Number

pith:ECGJDOC4

pith:2026:ECGJDOC4WBHAYH4WQOEWGHXXDW
not attested not anchored not stored refs resolved

Sleeper Channels and Provenance Gates: Persistent Prompt Injection in Always-on Autonomous AI Agents

Dmitry Namiot, Narek Maloyan

Always-on AI agents allow untrusted inputs to persist across interfaces as sleeper channels and activate later without the attacker present.

arxiv:2605.13471 v1 · 2026-05-13 · cs.CR

Open paper page JSON Open Graph Bundle Merged state Verified badge What is a Pith Number?
Add to your LaTeX paper 
\usepackage{pith}
\pithnumber{ECGJDOC4WBHAYH4WQOEWGHXXDW}

Prints a linked badge after your title and injects PDF metadata. Compiles on arXiv. Learn more · Embed verified badge

Record completeness

1 Bitcoin timestamp
2 Internet Archive
3 Author claim open · sign in to claim
4 Citations open
5 Replications open
Portable graph bundle live · download bundle · merged state
The bundle contains the canonical record plus signed events. A mirror can host it anywhere and recompute the same current state with the deterministic merge algorithm.

Claims

C1strongest claim

D2 carries a soundness theorem against seven named deployment invariants. D2 keys on a canonical action-instance digest with one-shot owner attestations, defeating paraphrase laundering, multi-input grant reuse, and replay.

C2weakest assumption

The seven deployment invariants hold in real always-on agent deployments, and one-shot owner attestations can be implemented without introducing new attack surfaces or usability issues.

C3one line summary

Sleeper channels enable persistent prompt injection in always-on AI agents via persistence substrate and firing separation, countered by provenance gates using action digests and owner attestations with a soundness theorem.

References

38 extracted · 38 resolved · 8 Pith anchors

[1] OpenClaw: Personal AI assistant runtime, 2026
[2] Nous Research, “Hermes Agent,” https:// github.com/nousresearch/hermes-agent, commit 98d75dea5a86aec599b1e081f8bbe9170bd3f964, 2026- 04-27; releasev0.11.0, 2026-04-23, 2026 2026
[3] Not what you've signed up for: Compromising Real-World LLM-Integrated Applications with Indirect Prompt Injection 2023 · arXiv:2302.12173
[4] AgentDojo: A Dynamic Environment to Evaluate Prompt Injection Attacks and Defenses for LLM Agents 2024 · arXiv:2406.13352
[5] Memorygraft: Persistent compromise of llm agents via poisoned experience retrieval 2025
Receipt and verification
First computed 2026-05-18T02:44:41.544108Z
Builder pith-number-builder-2026-05-17-v1
Signature Pith Ed25519 (pith-v1-2026-05) · public key
Schema pith-number/v1.0

Canonical hash

208c91b85cb04e0c1f968389631ef71d846de55e27478e255b3c884dfc602569

Aliases

arxiv: 2605.13471 · arxiv_version: 2605.13471v1 · doi: 10.48550/arxiv.2605.13471 · pith_short_12: ECGJDOC4WBHA · pith_short_16: ECGJDOC4WBHAYH4W · pith_short_8: ECGJDOC4
Agent API
Resolver JSON Graph JSON Events JSON Schema Signing key
Verify this Pith Number yourself 
curl -sH 'Accept: application/ld+json' https://pith.science/pith/ECGJDOC4WBHAYH4WQOEWGHXXDW \
  | jq -c '.canonical_record' \
  | python3 -c "import sys,json,hashlib; b=json.dumps(json.loads(sys.stdin.read()), sort_keys=True, separators=(',',':'), ensure_ascii=False).encode(); print(hashlib.sha256(b).hexdigest())"
# expect: 208c91b85cb04e0c1f968389631ef71d846de55e27478e255b3c884dfc602569
Canonical record JSON 
{
  "metadata": {
    "abstract_canon_sha256": "43c55b6ac92fb3733bbc07ef04c5ebbf90b768bc46c84949b7a75036b60d71a6",
    "cross_cats_sorted": [],
    "license": "http://creativecommons.org/licenses/by/4.0/",
    "primary_cat": "cs.CR",
    "submitted_at": "2026-05-13T12:57:31Z",
    "title_canon_sha256": "8ea299384eabaea3c417f6703fd9770cd6b7c1c497edb492017e283e283e09af"
  },
  "schema_version": "1.0",
  "source": {
    "id": "2605.13471",
    "kind": "arxiv",
    "version": 1
  }
}