AI 的「操作录像」正在泄露你的独门配方
你让 AI 帮你干活,它每一步操作都记成日志——调了什么工具、怎么判断、出错怎么补救。这些日志本是为了让你能查错、追责,但研究者发现,别人只要拿到这些日志,就能反向偷走你的「操作配方」:关键公式、判断阈值、策略逻辑,连模型权重和技能文件都不用看。他们建了一个 75 个复杂任务的测试集,又做了个叫 RedAct 的保护工具:把日志里最核心的步骤模糊掉,但保留能证明「AI 没干坏事」的证据,还能在日志里藏水印,谁偷了能追到源头。结果,偷技能的成功率从 44-67% 直接降到比「没日志可偷」还低,而查错证据一点没少。这不是你明天能用上的功能,但它告诉你一件事:AI 的「操作录像」正在成为新的安全漏洞——你以为是透明,其实是裸奔。
📄 原文摘要(英文)
Users rely on execution traces to observe agent behavior, diagnose failures, and ensure accountability. These traces contain rich procedural detail, including tool invocations, intermediate decisions, and error-recovery logic. Yet this detail can expose private procedural skills, allowing downstream methods to recover key formulas, thresholds, and strategies without access to model weights or skill files. To quantify this risk and evaluate protection, we construct CapTraceBench, a benchmark of 75 specialized long-horizon tasks and 154 curated skills across seven domains. We also introduce RedAct https://github.com/XuShuwenn/RedAct, a protected trace release framework that localizes protected key information, rewrites traces while preserving verifier-critical evidence, and embeds behavioral watermarks for downstream provenance analysis. Across representative trace reuse methods, RedAct reduces normalized skill transfer (NST) from 44.7--67.1\% on raw traces to below the no-skill baseline, while preserving audit evidence. Its standalone behavioral watermarks reach 93.6--100.0\% true detection with a false alarm rate of at most 1.9\%. These results frame public agent traces as security interfaces and show that selective redaction can reduce procedural capability leakage without removing audit evidence.