This work addresses the risk that agent execution trajectories may inadvertently leak proprietary procedural knowledge—such as critical formulas, thresholds, and decision strategies—even when model weights remain undisclosed. To mitigate this, the authors propose RedAct, a novel framework that treats execution trajectories as security-sensitive interfaces. RedAct integrates sensitive information localization, semantics-preserving trajectory rewriting, and behavioral watermark embedding to sanitize trajectories while retaining essential evidence required for auditability. Evaluated on the newly introduced CapTraceBench benchmark, RedAct reduces normalized skill transfer rates in diverse trajectory reuse scenarios to below the no-skill baseline (originally 44.7–67.1%), achieves behavioral watermark detection rates of 93.6–100.0%, and maintains a false positive rate of at most 1.9%, thereby effectively balancing privacy preservation with auditability.

Users rely on execution traces to observe agent behavior, diagnose failures, and ensure accountability. These traces contain rich procedural detail, including tool invocations, intermediate decisions, and error-recovery logic. Yet this detail can expose private procedural skills, allowing downstream methods to recover key formulas, thresholds, and strategies without access to model weights or skill files. To quantify this risk and evaluate protection, we construct \textsc{CapTraceBench}, a benchmark of 75 specialized long-horizon tasks and 154 curated skills across seven domains. We also introduce \textsc{RedAct} https://github.com/XuShuwenn/RedAct, a protected trace release framework that localizes protected key information, rewrites traces while preserving verifier-critical evidence, and embeds behavioral watermarks for downstream provenance analysis. Across representative trace reuse methods, \textsc{RedAct} reduces normalized skill transfer (NST) from 44.7--67.1\% on raw traces to below the no-skill baseline, while preserving audit evidence. Its standalone behavioral watermarks reach 93.6--100.0\% true detection with a false alarm rate of at most 1.9\%. These results frame public agent traces as security interfaces and show that selective redaction can reduce procedural capability leakage without removing audit evidence.