Go to ICML 2026 Workshop AIWILD homepageSlotGuard: Stop Oversharing Private Local Context in LLM Agent Transcripts
Keywords: LLM agents, transcript privacy, secret redaction
TL;DR: SlotGuard keeps raw local paths, identifiers, and credentials out of provider-bound LLM-agent transcripts, while preserving enough structure for agents to keep working safely.
Abstract: LLM agents can leak privacy (e.g., paths, emails) and credentials (e.g., API keys) as agent observations (e.g., tool outputs, shell logs, and file reads) are appended to provider-bound transcripts. Existing placeholder redaction is brittle: it can miss embedded or cross-turn references, over-redact benign lookalikes, and destroy the structure useful for reasoning. We present SlotGuard, a local transcript boundary that can hide sensitive data while retaining agents’ performance. SlotGuard rewrites structural bindings as typed, suffix-aware
slots, replaces secrets with format-preserving synthetic values, links cross-turn references with a lightweight session graph, and restores raw values only inside the trusted runtime. On controlled repository-oriented agent transcripts, SlotGuard removes all 20,814 annotated structurally sensitive characters across 9,229 paths and reduces credential leakage to 0.0% across 852 planted values. It remains close to raw-transcript task success across four upstream models, while generic redaction drops to 2.5%. Transcript rewriting takes a median of 14.424 μs per agent turn.
Track: Short Paper (4 pages)
Email Sharing: We authorize the sharing of all author emails with Program Chairs.
Data Release: We authorize the release of our submission and author names to the public in the event of acceptance.
Submission Number: 136
Loading