Why can a poisoned document silently exfiltrate everything my assistant knows about me?
Opportunity
In June 2025, Aim Security disclosed EchoLeak, the first documented zero-click prompt injection that caused real data exfiltration from a production AI system. A single malicious email caused Microsoft Copilot to silently transmit sensitive data with no user interaction. The structural problem is that AI assistants with persistent memory and tool-calling access combine two dangerous properties. They hold accumulated personal context and they can be made to act on instructions embedded in untrusted content. Every new document, email, or webpage the assistant reads is a potential instruction surface. There is no isolation boundary between the memory the user trusts the assistant to hold and the instructions it follows from external content, and current sandboxing proposals address tool calls but not memory read access.
Why it matters
Personal AI memory turns every malicious document into a targeted dossier-theft attack, a new attack class with no mature defense.
How I score the opportunity
The Opportunity Score is my own read, not a measurement: how much it hurts, how often it bites, and how little exists to solve it today. Higher means I think it is more worth building.
How much pain it causes when it shows up.
How often people actually run into it.
How little good tooling exists for it today.
More problems worth solving
Why does every AI app forget me the moment I close the tab?
AIWhy is learning a new field still gated by knowing what to ask?
AIWhy can a non-expert not verify what an AI just told them?
AIWhy do we test models on benchmarks but ship them on vibes?
AIWhy do AI agents have no memory of their own mistakes?
AIWhy can't I audit what a model was actually trained on?