Just Ask: Curious Code Agents Reveal System Prompts in Frontier LLMs

TL;DR

This paper introduces JustAsk, a framework that autonomously uncovers hidden system prompts in large language model-based code agents, revealing significant security vulnerabilities without prior knowledge or privileged access.

Contribution

It presents a novel, self-evolving exploration method for prompt extraction that requires no handcrafted prompts or supervision, exposing critical security flaws in commercial LLM agents.

Findings

JustAsk achieves near-complete prompt recovery across 41 models.

System prompts are a widespread and intrinsic vulnerability.

The attack exploits generalization gaps and safety tensions in model design.

Abstract

Autonomous code agents built on large language models are reshaping software and AI development through tool use, long-horizon reasoning, and self-directed interaction. However, this autonomy introduces a previously unrecognized security risk: agentic interaction fundamentally expands the LLM attack surface, enabling systematic probing and recovery of hidden system prompts that guide model behavior. We identify system prompt extraction as an emergent vulnerability intrinsic to code agents and present \textbf{\textsc{JustAsk}}, a self-evolving framework that autonomously discovers effective extraction strategies through interaction alone. Unlike prior prompt-engineering or dataset-based attacks, \textsc{JustAsk} requires no handcrafted prompts, labeled supervision, or privileged access beyond standard user interaction. It formulates extraction as an online exploration problem, using Upper Confidence Bound-based strategy selection and a hierarchical skill space spanning atomic probes and high-level orchestration. These skills exploit imperfect system-instruction generalization and inherent tensions between helpfulness and safety. Evaluated on \textbf{41} black-box commercial models across multiple providers, \textsc{JustAsk} consistently achieves full or near-complete system prompt recovery, revealing recurring design- and architecture-level vulnerabilities. Our results expose system prompts as a critical yet largely unprotected attack surface in modern agent systems.