Hugging Face's logo
Papers
arxiv:2606.10813

RedAct: Redacting Agent Capability Traces for Procedural Skill Protection

Published on Jun 10
Β· Submitted by
XuShuwen on Jun 15
Upvote
15
Authors:
Shuwen Xu ,
,

Abstract

Users rely on execution traces to observe agent behavior, diagnose failures, and ensure accountability. These traces contain rich procedural detail, including tool invocations, intermediate decisions, and error-recovery logic. Yet this detail can expose private procedural skills, allowing downstream methods to recover key formulas, thresholds, and strategies without access to model weights or skill files. To quantify this risk and evaluate protection, we construct CapTraceBench, a benchmark of 75 specialized long-horizon tasks and 154 curated skills across seven domains. We also introduce RedAct https://github.com/XuShuwenn/RedAct, a protected trace release framework that localizes protected key information, rewrites traces while preserving verifier-critical evidence, and embeds behavioral watermarks for downstream provenance analysis. Across representative trace reuse methods, RedAct reduces normalized skill transfer (NST) from 44.7--67.1\% on raw traces to below the no-skill baseline, while preserving audit evidence. Its standalone behavioral watermarks reach 93.6--100.0\% true detection with a false alarm rate of at most 1.9\%. These results frame public agent traces as security interfaces and show that selective redaction can reduce procedural capability leakage without removing audit evidence.

View arXiv page View PDF Project page GitHub 12 Add to collection

Community
xushuwen23
 Paper author Paper submitter

πŸ›‘οΈ RedAct: Protecting agent traces from procedural skill leakage

What if the traces released for transparency and debugging also become tutorials for copying an agent’s private skills? πŸ‘€

Agent traces can reveal formulas, thresholds, tool choices, validation routines, and recovery strategies β€” enough for downstream agents to reconstruct reusable procedures.

To study this risk, we introduce CapTraceBench:

🧩 75 long-horizon tasks
πŸ› οΈ 154 curated skills
🌍 7 professional domains
πŸ€– Multiple agent backends and trace-reuse attacks

We then propose RedAct, a protected trace-release framework that:

πŸ” locates sensitive procedural details
✍️ selectively rewrites them
βœ… preserves audit-critical evidence
🧬 embeds behavioral watermarks for provenance

Across multiple reuse settings, raw traces yield 44.7–67.1% normalized skill transfer. RedAct pushes it below the no-skill baseline, while preserving 91.0–96.6% of audit evidence.

Its standalone watermarks further achieve 93.6–100.0% detection with at most 1.9% false alarms. πŸš€

Agent traces are not just logs β€” they are security interfaces.

🌐 Project: https://xushuwenn.github.io/RedAct_Website/
πŸ’» Code: https://github.com/XuShuwenn/RedAct
πŸ“„ Paper: https://arxiv.org/abs/2606.10813

Sign up or log in to comment

Models citing this paper 0

No model linking this paper

Cite arxiv.org/abs/2606.10813 in a model README.md to link it from this page.

Datasets citing this paper 0

No dataset linking this paper

Cite arxiv.org/abs/2606.10813 in a dataset README.md to link it from this page.

Spaces citing this paper 0

No Space linking this paper

Cite arxiv.org/abs/2606.10813 in a Space README.md to link it from this page.

Collections including this paper 0

No Collection including this paper

Add this paper to a collection to link it from this page.