Title: Ghost Tool Calls: Issue-Time Privacy for Speculative Agent Tools

Abstract:

To mask latency, tool-augmented language agents frequently predict and issue probable future tool calls. However, this speculative behavior inadvertently exposes inferred user intentions to external services prior to the agent’s final commitment to a specific execution path. Once an external observer receives such a call, they retain the disclosed information even if the agent later discards that particular branch. This vulnerability stems from timing rather than authorization; consequently, standard mitigation strategies like read-only restrictions, access-control allow-lists, or post-commit cleanup mechanisms are ineffective, as they cannot retract data already held by observers. We term these premature invocations "ghost tool calls." To address this, we introduce Speculative Tool Privacy Contracts, a runtime abstraction that categorizes pre-commitment observation as a distinct, first-class effect separate from state mutation. Our prototype implementation of these contracts was evaluated against twelve distinct policies across three different corpora. The results indicate that while speculative dispatch heightens an observer’s ability to deduce user intent, post-hoc filters, read-only constraints, and allow-lists fail to diminish this inference. Only issue-time policies that modify or suppress the speculative call’s argument or destination projection prior to dispatch successfully reduce the privacy risk.

Source: arXiv Generated at: 2026-06-02 00:00:00 UTC