This work addresses a critical privacy vulnerability in language agents: speculative tool invocations can irreversibly leak user intent to external services, even when the corresponding execution branch is later abandoned. To mitigate this risk, the paper introduces Speculative Tool Privacy Contracts, which formalize such unintended disclosures as “ghost tool calls.” The approach employs a runtime abstraction that separates observation from state mutation, enabling dynamic adjustment or suppression of tool parameters and targets before invocation. Leveraging a policy engine, the authors implement twelve issue-time privacy strategies and evaluate them across three benchmark corpora. Results demonstrate that only issue-time interventions effectively reduce an external observer’s ability to infer user intent, whereas conventional mechanisms—such as post-hoc filtering, read-only constraints, or allowlisting—fail to alleviate this threat.

Tool-augmented language agents speculatively issue likely future tool calls to hide latency, but those calls leak inferred user intent to external services before the agent commits to the branch. Every external observer that received the call retains the disclosure after the agent abandons the branch. Timing is the issue, not authorization: no commit-time cleanup, read-only restriction, or access-control allow-list unsends what an observer already holds. We call these invocations ghost tool calls and propose Speculative Tool Privacy Contracts, a runtime abstraction that treats observation before commitment as a first-class effect, distinct from state mutation. We implement the contracts in a prototype runtime and evaluate twelve policies across three corpora. Speculative dispatch increases what an observer can infer about user intent; post-hoc filters, read-only restrictions, and access-control allow-lists leave that inference intact; only issue-time policies that change or suppress the speculative call's argument or destination projection before dispatch reduce it.