# Network-Level Prompt and Trait Leakage in Local Research Agents

**Authors:** Hyejun Jeong, Mohammadreza Teymoorianfard, Abhinav Kumar, Amir Houmansadr, Eugene Bagdasarian

arXiv: 2508.20282 · 2026-01-16

## TL;DR

This paper reveals that local research agents using language models are vulnerable to network-level inference attacks that can leak user prompts and traits, highlighting significant privacy risks and proposing mitigation strategies.

## Contribution

It introduces a novel network-level attack on Web and Research Agents that infers prompts and user traits solely from network metadata, demonstrating high accuracy and robustness.

## Key findings

- Over 73% prompt recovery rate.
- Up to 19 of 32 user traits inferred accurately.
- Mitigation reduces attack effectiveness by 29%.

## Abstract

We show that Web and Research Agents (WRAs) -- language-model-based systems that investigate complex topics on the Internet -- are vulnerable to inference attacks by passive network observers. Deployment of WRAs \emph{locally} by organizations and individuals for privacy, legal, or financial purposes exposes them to DNS resolvers, malicious ISPs, VPNs, web proxies, and corporate or government firewalls. However, unlike sporadic and scarce web browsing by humans, WRAs visit $70{-}140$ domains per each request with a distinct timing pattern creating unique privacy risks.   Specifically, we demonstrate a novel prompt and user trait leakage attack against WRAs that only leverages their network-level metadata (i.e., visited IP addresses and their timings). We start by building a new dataset of WRA traces based on real user search queries and queries generated by synthetic personas. We define a behavioral metric (called OBELS) to comprehensively assess similarity between original and inferred prompts, showing that our attack recovers over 73\% of the functional and domain knowledge of user prompts. Extending to a multi-session setting, we recover up to 19 of 32 latent traits with high accuracy. Our attack remains effective under partial observability and noisy conditions. Finally, we discuss mitigation strategies that constrain domain diversity or obfuscate traces, showing negligible utility impact while reducing attack effectiveness by an average of 29\%.

## Full text

_Full body text omitted from this summary view._ Fetch the complete paper as Markdown: https://tomesphere.com/paper/2508.20282/full.md

## Figures

9 figures with captions in the complete paper: https://tomesphere.com/paper/2508.20282/full.md

---
Source: https://tomesphere.com/paper/2508.20282