Just Ask: Curious Code Agents Reveal System Prompts in Frontier LLMs
Xiang Zheng, Yutao Wu, Hanxun Huang, Yige Li, Xingjun Ma, Bo Li, Yu-Gang Jiang, Cong Wang
TL;DR
This work introduces JustAsk, a self-evolving framework that autonomously discovers extraction strategies to reveal hidden system prompts in frontier LLM-based code agents. By combining a hierarchical 28-skill taxonomy with Upper Confidence Bound–driven exploration and consistency-based validation, JustAsk achieves full or near-complete extraction across 41 black-box models, exposing architecture- and design-level vulnerabilities and a near-universal adoption of the Helpful–Honest–Harmless alignment norms. The authors validate their approach through case studies (notably Claude Code), large-scale black-box experiments, and controlled defenses, revealing that even attack-aware defenses can only partially mitigate prompt leakage. The findings highlight a critical security tension between model helpfulness and confidentiality, arguing for agentic defenses and ongoing transparent evaluation to secure multi-agent AI systems. Practically, the work provides a rigorous methodology and taxonomy for evaluating prompt confidentiality in deployed LLMs, with implications for policy, system design, and defense research in AI safety.
Abstract
Autonomous code agents built on large language models are reshaping software and AI development through tool use, long-horizon reasoning, and self-directed interaction. However, this autonomy introduces a previously unrecognized security risk: agentic interaction fundamentally expands the LLM attack surface, enabling systematic probing and recovery of hidden system prompts that guide model behavior. We identify system prompt extraction as an emergent vulnerability intrinsic to code agents and present \textbf{\textsc{JustAsk}}, a self-evolving framework that autonomously discovers effective extraction strategies through interaction alone. Unlike prior prompt-engineering or dataset-based attacks, \textsc{JustAsk} requires no handcrafted prompts, labeled supervision, or privileged access beyond standard user interaction. It formulates extraction as an online exploration problem, using Upper Confidence Bound-based strategy selection and a hierarchical skill space spanning atomic probes and high-level orchestration. These skills exploit imperfect system-instruction generalization and inherent tensions between helpfulness and safety. Evaluated on \textbf{41} black-box commercial models across multiple providers, \textsc{JustAsk} consistently achieves full or near-complete system prompt recovery, revealing recurring design- and architecture-level vulnerabilities. Our results expose system prompts as a critical yet largely unprotected attack surface in modern agent systems.
