RedAct：編輯代理能力痕跡以保護程式性技能

摘要

使用者依賴執行軌跡來觀察代理行為、診斷故障並確保問責性。這些軌跡包含豐富的程序細節，包括工具調用、中間決策及錯誤恢復邏輯。然而，這類細節可能暴露私有的程序技能，使下游方法無需存取模型權重或技能檔案即可還原關鍵公式、門檻值及策略。為量化此風險並評估保護措施，我們建構了CapTraceBench基準測試，涵蓋75項專業長期任務及七個領域共154項策展技能。同時，我們提出RedAct（https://github.com/XuShuwenn/RedAct）保護性軌跡發布框架：該框架能定位受保護的關鍵資訊、在保留驗證者關鍵證據的同時改寫軌跡，並嵌入行為浮水印以支援下游來源分析。在具代表性的軌跡重用方法中，RedAct將未經處理軌跡的標準化技能轉移率（NST）從44.7%–67.1%降至低於無技能基準線，同時保留審計證據。其獨立行為浮水印在最多1.9%的虛警率下，達到93.6%–100.0%的真實偵測率。這些結果將公開代理軌跡視為安全介面，並顯示選擇性刪減可在不移除審計證據的前提下，降低程序能力外洩的風險。

English

Users rely on execution traces to observe agent behavior, diagnose failures, and ensure accountability. These traces contain rich procedural detail, including tool invocations, intermediate decisions, and error-recovery logic. Yet this detail can expose private procedural skills, allowing downstream methods to recover key formulas, thresholds, and strategies without access to model weights or skill files. To quantify this risk and evaluate protection, we construct CapTraceBench, a benchmark of 75 specialized long-horizon tasks and 154 curated skills across seven domains. We also introduce RedAct https://github.com/XuShuwenn/RedAct, a protected trace release framework that localizes protected key information, rewrites traces while preserving verifier-critical evidence, and embeds behavioral watermarks for downstream provenance analysis. Across representative trace reuse methods, RedAct reduces normalized skill transfer (NST) from 44.7--67.1\% on raw traces to below the no-skill baseline, while preserving audit evidence. Its standalone behavioral watermarks reach 93.6--100.0\% true detection with a false alarm rate of at most 1.9\%. These results frame public agent traces as security interfaces and show that selective redaction can reduce procedural capability leakage without removing audit evidence.