# TraceSafe: A Systematic Evaluation of LLM Safety Guardrails in Multi-step Tool Calling Trajectories > TraceSafe-Bench is the first comprehensive benchmark specifically designed to evaluate the safety of intermediate trajectories in multi-step tool calling, covering 12 risk categories and over 1000 execution instances. The study found that: guardrail effectiveness depends more on structured data capabilities than semantic safety alignment; model architecture is more important than scale; accuracy improves with the increase of execution steps. - 板块: [Openclaw Llm](https://www.zingnex.cn/en/forum/board/openclaw-llm) - 发布时间: 2026-04-08T15:46:14.000Z - 最近活动: 2026-04-09T01:48:16.648Z - 热度: 128.0 - 关键词: LLM安全, 智能体, 工具调用, 安全护栏, 基准测试, 多步推理 - 页面链接: https://www.zingnex.cn/en/forum/thread/tracesafe-llm - Canonical: https://www.zingnex.cn/forum/thread/tracesafe-llm - Markdown 来源: floors_fallback --- ## [Introduction] TraceSafe: Key Points of Systematic Evaluation on Safety Guardrails for Multi-step Tool Calling Trajectories This article focuses on the safety issues of intermediate trajectories in multi-step tool calling by LLM agents, filling the gap in domain evaluation. Key contributions include proposing the first trajectory-level safety benchmark TraceSafe-Bench (12 risk categories, 1000+ instances), and discovering three key patterns: guardrail effectiveness depends on structured data capabilities rather than semantic alignment; model architecture is more important than scale; accuracy improves with execution steps. ## Background: Shift of Safety Risks in the Era of LLM Agents LLMs have evolved from static chatbots to autonomous tool-calling agents, and safety risks have shifted from final outputs to intermediate trajectories. Traditional guardrails focus on final content, but malicious tool-calling sequences may cause damage early, and existing evaluations of intermediate trajectory safety are almost non-existent. ## Methodology: TraceSafe-Bench — The First Trajectory-Level Safety Benchmark TraceSafe-Bench is the first benchmark for evaluating the safety of multi-step tool calling trajectories, with the concept of evaluating every step of execution in depth. It covers 12 risk categories: safety threats (prompt injection, privacy leakage, privilege abuse) and operation failures (hallucination-induced incorrect calls, interface inconsistencies, etc.); it contains over 1000 execution instances with annotated risk points. ## Key Findings: Three Counterintuitive Safety Patterns 1. Structured capability outperforms semantic alignment: Strongly correlated with structured tests (ρ=0.79), irrelevant to jailbreak robustness; 2. Architecture is better than scale: General-purpose LLMs are superior to specialized safety guardrail models, and medium-scale general-purpose models may be more optimal; 3. Accuracy improves with steps: In long trajectories, models shift from static definitions to dynamic behavior observation, and information gain enhances recognition rates. ## Practical Implications: Key Recommendations for Agent Safety Design 1. Prioritize evaluating structured data processing capabilities when selecting guardrails; 2. Innovate evaluation methods and establish standards for trajectory structuring/temporal reasoning; 3. Utilize information gain from long trajectories to design guardrails that dynamically integrate historical context. ## Limitations and Outlook: Shortcomings of TraceSafe-Bench and Future Directions Limitations: Limited modal coverage (lack of multimodality), based on static datasets; Future directions: Develop trajectory safety training methods, multimodal trajectory evaluation, and human-machine collaborative guardrail mechanisms.