Who Tests the Testers? Systematic Enumeration and Coverage Audit of LLM Agent Tool Call Safety

TL;DR

This paper introduces SafeAudit, a framework that systematically tests LLM agent tool-call safety, revealing significant safety gaps in existing benchmarks across multiple environments.

Contribution

SafeAudit combines an LLM-based enumerator and rule-resistance metric to identify unsafe behaviors missed by current safety benchmarks.

Findings

Over 20% residual unsafe behaviors found

Coverage improves with increased testing budget

Significant safety evaluation gaps identified

Abstract

Large Language Model (LLM) agents increasingly act through external tools, making their safety contingent on tool-call workflows rather than text generation alone. While recent benchmarks evaluate agents across diverse environments and risk categories, a fundamental question remains unanswered: how complete are existing test suites, and what unsafe interaction patterns persist even after an agent passes the benchmark? We propose SafeAudit, a meta-audit framework that addresses this gap through two contributions. First, an LLM-based enumerator that systematically generates test cases by enumerating valid tool-call workflows and diverse user scenarios. Second, we introduce rule-resistance, a non-semantic, quantitative metric that distills compact safety rules from existing benchmarks and identifies unsafe interaction patterns that remain uncovered under those rules. Across 3 benchmarks and 12 environments, SafeAudit uncovers more than 20% residual unsafe behaviors that existing benchmarks fail to expose, with coverage growing monotonically as the testing budget increases. Our results highlight significant completeness gaps in current safety evaluation and motivate meta-auditing as a necessary complement to benchmark-based agent safety testing.