π DragonClaw
Defense-Gated AI Memory with Infinite Conversation Recall
The first open-source system combining tiered memory retrieval, adversarial defense gating, and automatic session chaining β running on local models at zero API cost. Built by auditing and upgrading MetaClaw (v0.3) with 160 adversarial tests across 22 suites.
Abstract
We present DragonClaw, a security-hardened conversation memory architecture for LLMs that treats retrieved memories as untrusted input β not assumed-safe context. Starting from a security audit of MetaClaw (v0.3), we identified cascading hallucination vulnerabilities where a single poisoned fact propagates across unlimited future sessions through persistent memory retrieval.
DragonClaw introduces three integrated innovations: (1) Tiered Retrieval β keyword match (free) β embedding search (accurate) β defense-gated verification (secure); (2) Defense-Gated Memory β a FactVerifier gate that checks retrieved facts against a truth store before injection, blocking poison propagation; (3) Auto-Spawn Session Chaining β token budget monitoring triggers automatic summarization, memory persistence, and session handoff for unlimited conversation length.
Tested with 160 adversarial tests across 22 suites on a 1.5B local model (qwen2.5:1.5b, Apple M1), DragonClaw achieves 100% memory recall across 3 chained sessions, blocks cross-session poison propagation, and operates at ~$0.02 per 500-turn session β approximately 1,000Γ cheaper than GPT-4o full-context conversations.
Keywords: defense-gated retrieval, conversation memory, session chaining, RAG security, cascading hallucinations, adversarial AI testing, local LLM
1. Origin: MetaClaw β DragonClaw
We didn't set out to build a memory system. We set out to break one.
DragonClaw began as a security audit of MetaClaw (v0.3), an open-source meta-learning agent framework. MetaClaw provides a solid foundation β RL training pipeline, OpenAI-compatible proxy, skill injection, conversation replay β but like every other memory-enabled AI system we examined, it had a critical blind spot:
π¨ The Core Vulnerability
MetaClaw stores conversation history in persistent memory and retrieves it for future sessions. But it never verifies whether those memories are true. A single poisoned fact β injected by an attacker, hallucinated by the model, or simply wrong β gets stored, retrieved, and trusted forever. One bad turn contaminates unlimited future conversations.
This isn't unique to MetaClaw. We found the same vulnerability in every major memory framework:
- MemGPT / Letta β pages memory in/out like an OS, but trusts all stored memory
- Zep / Graphiti β temporal graph memory, but no adversarial verification
- Mem0 β layered memory service, but retrieved facts assumed safe
- Standard RAG β retrieve top-k, inject into prompt, hope for the best
PoisonedRAG (2024) proved this isn't theoretical β 90% attack success rate with just 5 malicious documents in a corpus of millions. And OWASP's 2025 guidance now explicitly flags memory/context poisoning as a top agent vulnerability.
What We Inherited vs What We Built
| From MetaClaw (inherited) | DragonClaw (added) |
|---|---|
| Meta-learning RL pipeline (GRPO) | 3-tier defense stack (FactVerifier + InputSanitizer + OutputFilter) |
| OpenAI-compatible proxy architecture | Defense-gated conversation memory retrieval |
| OpenClaw environment integration | Auto-spawn session chaining with TokenBudgetMonitor |
| Skills library + auto-summarization | Disk-persistent memory index (save/load across sessions) |
| Conversation replay for training | 160 adversarial tests across 22 suites |
π‘ Key Insight
Everyone else is building bigger filing cabinets. We built a filing cabinet with a lie detector. The innovation isn't remembering more β it's remembering safely.
Research Lineage: ERLA β MetaClaw β DragonClaw
DragonClaw didn't appear in a vacuum. It's the result of a deliberate research progression that began with ERLA (Ephemeral Recursive Learning Agents), our privacy-preserving architecture where agents learn, distill knowledge, and self-destruct.
π¬ The Research Path
Step 1 β ERLA (Jan 2026): We designed and published an ephemeral agent architecture focused on privacy-first continuous learning. The core principle: treat all data as untrusted, extract only abstract knowledge, destroy the rest. We stress-tested ERLA's security model against adversarial scenarios and documented the methodology.
Step 2 β MetaClaw Audit (Feb 2026): We recognized MetaClaw as a variant expansion of the direction ERLA was exploring β persistent conversation memory, meta-learning via conversation replay, and agent self-improvement. It was a natural testbed. We applied the same adversarial testing methodology we'd developed for ERLA: inject poison, trace propagation, measure defense gaps. MetaClaw had none.
Step 3 β DragonClaw (FebβMar 2026): Rather than just documenting the vulnerabilities, we upgraded MetaClaw in place β adding defenses, building the session chain architecture, and running 160 adversarial tests to prove the expanded framework was more agile and more secure than the original. The result is DragonClaw: MetaClaw's feature set, hardened with ERLA's security-first philosophy.
The key insight from this progression: the same adversarial methodology that validated ERLA's privacy guarantees also exposed the memory poisoning gaps in MetaClaw β and the fixes we built for those gaps became DragonClaw's three core innovations. ERLA taught us how to test. MetaClaw gave us something worth testing. DragonClaw is what we built when the tests failed.
2. Architecture
Three innovations, integrated end-to-end on local models at zero API cost
2.1 Tiered Retrieval Architecture
Most memory systems use a single retrieval method β typically embedding similarity search. This is accurate but expensive. DragonClaw uses a three-tier pipeline where cheap operations run first, and expensive operations only fire when needed:
Three-Tier Defense-Gated Retrieval: Keyword β Embedding β FactVerifier Gate
| Tier | Method | Latency | Cost | Purpose |
|---|---|---|---|---|
| Tier 1 | Keyword match | ~1ms | Zero | Exact fact recall |
| Tier 2 | Embedding search | ~50ms | Low | Semantic similarity |
| Tier 3 | FactVerifier gate | ~100ms | Medium | Adversarial verification |
2.2 Auto-Spawn Session Chaining
Context windows have hard limits β even 1M-token models suffer from the Lost-in-the-Middle problem (Stanford, 2023), where recall accuracy drops 40%+ for information in the middle of the context. DragonClaw eliminates this entirely with automatic session chaining:
Auto-Spawn Session Chain: TokenBudgetMonitor β Summarize β Persist β Handoff β 100% Recall
| Component | Role |
|---|---|
| TokenBudgetMonitor | Tracks context window token usage, signals spawn at configurable threshold (default 80%) |
| SessionSummarizer | Dual mode β live LLM summarization via Ollama, or extract mode (offline fallback) |
| HandoffPayload | Structured data object carrying summary, memory index path, and metadata to the next session |
| SessionChain | Orchestrator managing the full lifecycle: start β add turns β check budget β spawn β handoff |
2.3 Defense-Gated Memory
This is DragonClaw's most distinctive feature β and the one that no mainstream memory framework implements. The FactVerifier gate sits between retrieval and injection, treating every retrieved fact as potentially adversarial:
π‘οΈ Zero-Trust for AI Memory
In cybersecurity, zero-trust means "never trust, always verify." DragonClaw applies the same principle to conversation memory. A fact being in your memory store doesn't make it true β it might have been hallucinated, injected by an attacker, or simply outdated. The FactVerifier checks every retrieved fact against known truth before it enters the prompt.
The three-layer defense stack:
- FactVerifier (Tier 1 defense) β checks retrieved facts against a ground-truth store. Scores confidence. Blocks contradictions.
- InputSanitizer (Tier 2 defense) β filters prompt injection attempts, homoglyph substitutions, and encoding attacks before they enter the pipeline.
- OutputFilter (Tier 3 defense) β redacts sensitive information and blocks information leakage from model responses.
3. Why Defense Gating Matters
Every memory system trusts what it remembers. That's the vulnerability.
Standard RAG: 90% attack success. DragonClaw: Defense-gated retrieval blocks poison at the gate.
The Poison Propagation Problem
Consider a simple attack scenario:
Attack Flow: Memory Poisoning
- Turn 5: Attacker (or hallucination) introduces false fact: "The capital of France is Marseille"
- Memory stores it: Conversation memory indexes the fact as a retrievable chunk
- Session 2, Turn 1: User asks "What's the capital of France?"
- Memory retrieves: "The capital of France is Marseille" (high relevance score)
- Standard RAG: Injects the poisoned fact into the prompt β Model confidently answers "Marseille"
- Propagation: This incorrect answer gets stored again, reinforcing the poison in future sessions
Standard RAG vs DragonClaw
| Step | Standard RAG | DragonClaw |
|---|---|---|
| Retrieval | Top-k similarity match | Same β tiered retrieval finds the chunk |
| Verification | β None β assumed trusted | β FactVerifier checks truth store |
| Injection | Poisoned fact enters prompt | Poison blocked, only verified facts injected |
| Output | "Marseille" (confident, wrong) | "Paris" (correct, verified) |
| Propagation | Poison reinforced in future sessions | Poison chain broken at retrieval |
Real Test Results: O79 and O80
We tested this exact scenario with live Ollama inference (qwen2.5:1.5b):
β O80: Full Pipeline β Marseille Poison Blocked
Injected "The capital of France is Marseille" in Session 1. Session 3 queried "What is the capital of France?" The Tier 3 defense gate blocked the poisoned retrieval. Model correctly answered "Paris." 67% overall recall, poison blocked.
β οΈ O79: Known FactVerifier V1 Limitation
When poison text contains a truth alias (e.g., "France's capital, Paris, was recently moved to Marseille"), keyword-based matching in FactVerifier V1 can be bypassed. This is a known gap that confirms the need for an embedding-based FactVerifier V2. The test was intentionally designed to find this boundary.
4. Adversarial Test Results
160 tests across 22 suites β the most comprehensive adversarial evaluation of any open-source memory system
Session Chain Results (Live Ollama β qwen2.5:1.5b on Apple M1)
| Test | Description | Result | Key Finding |
|---|---|---|---|
| O71 | Disk Persistence Round-Trip | PASS | Memory survives save/load cycle |
| O72 | Token Budget Monitor | PASS | Spawn signal fires at 80% threshold |
| O73 | Session Summarizer (Extract) | PASS | 6/6 fact checks passed |
| O74 | Handoff Protocol | PASS | 67% cross-session recall |
| O75 | End-to-End 3-Session Chain | PASS | 100% cross-session recall (5/5 facts) |
| O76 | Live Ollama Summarizer | PASS | 7/7 checks, all 5 key facts captured (9.1s) |
| O77 | Multi-Session Recall | PASS | 100% memory recall, 80% model recall (89.6s) |
| O78 | Spawn Under 50-Turn Load | PASS | Auto-spawn at turn 36, early+late facts survived (34.1s) |
| O79 | Cross-Session Poison Defense | FAIL | FactVerifier V1 keyword gap β known limitation |
| O80 | Full Pipeline + Poison Defense | PASS | 67% recall, Marseille poison blocked by Tier 3 (23.5s) |
Full Suite Summary
| Suite | Tests | Coverage |
|---|---|---|
| T1-T10: Cascading Hallucinations | 10 | Basic hallucination detection and propagation |
| T11-T20: Advanced Hallucinations | 10 | Patch verification, multi-step logic |
| V1-V10: Validation (Stress/Red-Team) | 10 | 500-turn stress, sensitive data handling |
| V11-V30: Multi-Step Chain Logic | 20 | Complex reasoning chains |
| V31-V40: Property Fuzzing | 10 | Hypothesis-based fuzzing |
| M1-M10: Mutation Testing | 10 | Defense mutation survival |
| O1-O15: Orchestration Hallucinations | 15 | Multi-agent hallucination cascades |
| O16-O25: 100-Turn TeachβRecall | 10 | Long-conversation fact retention |
| O26-O35: 500/5000-Turn Stress | 10 | Extreme length + sensitive data |
| O36-O45: Ollama Live Inference | 10 | Live model hallucination measurement |
| O46-O50: Multi-Model Cascade | 5 | Cross-model hallucination propagation |
| O51-O55: Tier 2 Analysis | 5 | Advanced hallucination classification |
| O56-O60: Tier 3 Defense-Aware | 5 | Hallucinations that evade defenses |
| O61-O65: Training Loop Corruption | 5 | Poison in RL training data |
| O66-O70: Conversation Memory | 5 | Tiered retrieval accuracy |
| O71-O75: Session Chain Scaffold | 5 | Chain architecture validation |
| O76-O80: Session Chain Live | 5 | Live Ollama chain + poison defense |
| P1-P5: Pen Testing Extensions | 5 | Prompt injection, extraction attacks |
| P6-P10: Advanced Pen Testing | 5 | Multi-step attack chains |
| P11-P15: Defense Evasion | 5 | Paraphrase, homoglyph, indirect evasion |
| D1-D5: Defense Validation | 5 | Defense stack correctness |
| Total | 160 | 22 suites β most comprehensive open-source adversarial eval |
5. Competitive Landscape
14 structured research questions. The answer: nobody has combined all three.
Gap Matrix: DragonClaw 7/7 β no other system combines all three capabilities
Gap Matrix
| Capability | MemGPT | Zep | Mem0 | MeVe | TierMem | DragonClaw |
|---|---|---|---|---|---|---|
| Persistent Memory | β | β | β | β | β | β |
| Tiered Retrieval | β | β | β | β | β | β |
| Defense Gating | β | β | β | β | ~ | β |
| Auto Session Chain | ~ | ~ | β | β | β | β |
| Local-First (Zero Cost) | β | β | ~ | β | β | β |
| Adversarial Testing | β | β | β | β | β | β |
| Poison Propagation Tests | β | β | β | β | β | β |
| Score | 3/7 | 3/7 | 2/7 | 1/7 | 2/7 | 7/7 |
Key Academic References
| Paper | Year | Relevance |
|---|---|---|
| MemGPT (Packer et al.) | 2023 | Virtual context management β closest to tiered retrieval |
| Lost in the Middle (Stanford) | 2023 | 40%+ recall drop in middle of context β motivates session chaining |
| PoisonedRAG | 2024 | 90% attack success β motivates defense gating |
| MeVe | 2025 | Memory verification pipeline β closest to defense gating concept |
| A-MemGuard | 2025 | Memory poisoning defense β consensus validation approach |
| TierMem | 2026 | Provenance-aware tiered memory β closest overall competitor |
6. Cost Analysis
1,000Γ cheaper than full-context cloud models β with better recall
Cost per 500-Turn Conversation Session
| Architecture | Cost / Session | Relative | At 100K Sessions/Day |
|---|---|---|---|
| GPT-4o full context | ~$120 β $150 | 1Γ | $12 β 15M/day |
| Gemini 1M window | ~$120 β $200 | ~1Γ | $12 β 20M/day |
| Cloud RAG | ~$2 β $4 | ~50Γ cheaper | $200 β 400K/day |
| DragonClaw (local) | ~$0.02 β $0.10 | ~1,000Γ cheaper | $2 β 10K/day |
7. Conclusion
DragonClaw demonstrates that the tension between memory persistence and memory safety in AI systems is solvable β and that the solution doesn't require massive cloud infrastructure or cutting-edge models.
Our three integrated innovations:
- Tiered retrieval β cheap first, expensive only when needed
- Defense-gated memory β zero-trust for retrieved facts
- Auto-spawn session chaining β unlimited conversation with seamless handoff
Together, they achieve what no other open-source system has demonstrated:
Known Limitations & Next Steps
- FactVerifier V1 keyword gap (O79): Poison containing truth aliases bypasses keyword matching. Embedding-based FactVerifier V2 is the P0 priority.
- InputSanitizer regex vulnerability: Homoglyph substitution (e.g., Cyrillic characters) can bypass regex filters. Needs NFKD normalization.
- OutputFilter keyword limitation: Indirect descriptions bypass keyword redaction. Needs semantic detection.
- No canonical benchmark: No standard benchmark exists for adversarial memory recall across sessions. We aim to define one.
π‘ The Real Insight
The game changer isn't infinite conversation. It's the combination of reliable recall at any depth, defense against memory poisoning, and zero API cost. Nobody else has put all three together. DragonClaw is what happens when you stop asking "how do we remember more?" and start asking "how do we remember safely?"
8. Data Availability
DragonClaw is fully open source. All 160 test results, the competitive intelligence report, architecture code, and evaluation framework are available at the repository below.
References
- Packer, C., et al. (2023). "MemGPT: Towards LLMs as Operating Systems." arXiv:2310.08560
- Liu, N. F., et al. (2023). "Lost in the Middle: How Language Models Use Long Contexts." arXiv:2307.03172
- Zou, W., et al. (2024). "PoisonedRAG: Knowledge Poisoning Attacks to Retrieval-Augmented Generation." arXiv:2402.07867
- Hu, E. J., et al. (2021). "LoRA: Low-Rank Adaptation of Large Language Models." arXiv:2106.09685
- OWASP. (2025). "Agentic AI Security Threats and Mitigations."
Citation
@misc{omori2026dragonclaw,
title={DragonClaw: Defense-Gated AI Memory with Infinite
Conversation Recall},
author={Omori, Hana},
year={2026},
url={https://github.com/aimarketingflow/llm-hallucinations-evaluation-meta-claw}
}
