ToolPrivacyBench: Benchmarking Purpose-Bound Privacy in Tool-Using LLM Agents

Large language models (LLMs) have increasingly moved from standalone text generation systems to agents that invoke external tools, access environments, and execute multi-step tasks.

However, conventional function-calling benchmarks mainly evaluate task completion and API correctness, while privacy evaluation benchmarks typically focus on final responses or privacy judgments.

Neither perspective captures purpose-bound information flow across an executed multi-tool trajectory.

Motivated by this limitation in current agent evaluation, ToolPrivacyBench audits whether task-private atoms are routed only to authorized tools and downstream sinks, thereby evaluating both task completion and privacy over-disclosure during tool use.

The benchmark contains 2,150 cases, including 1,150 fully synthetic privacy-sensitive business workflows and 1,000 cases adapted from existing multi-tool and function-calling benchmarks.

Each case is represented by a policy knowledge base.

After an agent executes against mock business backends, the evaluator compares recorded tool arguments and backend audit logs with this policy knowledge base.

The evaluation covers nine widely used agents to characterize purpose-bound privacy over-disclosure.

The results show that successful tool execution does not imply appropriate privacy disclosure: an agent may complete a task while transmitting unnecessary private information through intermediate tool calls.

ToolPrivacyBench therefore formalizes a need-to-know disclosure boundary, under which each tool should receive only the information necessary for its stated purpose, and uses trajectory-level auditing to identify privacy over-disclosure in multi-tool workflows.