Multi-agent Large Language Model (LLM) systems create privacy risks that current output-only benchmarks cannot measure. When agents coordinate on tasks, sensitive data may pass through inter-agent messages, shared memory, and tool arguments, all pathways that final-output audits typically do not inspect. We introduce AgentLeak, a benchmark for evaluating internal-channel privacy leakage in multi-agent LLM systems. AgentLeak instruments seven privacy-relevant communication pathways and provides a large-scale empirical evaluation focused on final outputs, inter-agent messages, and shared memory. Across 1,000 scenarios spanning healthcare, finance, legal, and corporate domains, five production LLMs (GPT-4o, GPT-4o-mini, Claude 3.5 Sonnet, Mistral Large, and Llama 3.3 70B), and 4,979 validated execution traces, we find that multi-agent configurations reduce final-output leakage (C1: 27.2% vs 43.2% in single-agent mode) compared with single-agent baselines but introduce internal channels that raise total system exposure to 68.9% (aggregated across C1, C2, C5). Inter-agent messages (C2) leak at 68.8%, compared with 27.2% for final outputs (C1), meaning that output-only audits miss 41.7% of violations. Across all five models and four domains, the pattern C2 $\geq$ C1 holds consistently. These results suggest, within the evaluated coordinator-worker setting, that privacy risk in multi-agent systems is strongly shaped by architectural coordination channels rather than final-output behavior alone: it arises from internal channels that remain invisible to standard output-level defenses.

翻译：多智能体大语言模型系统会引发当前仅针对输出的基准测试无法衡量的隐私风险。当智能体协同完成任务时，敏感数据可能通过智能体间消息、共享内存及工具参数等路径传递，而这些路径通常未被最终输出审计所检查。我们提出了AgentLeak，一个用于评估多智能体大语言模型系统内部通道隐私泄露的基准测试。AgentLeak对七条隐私相关通信通路进行检测，并基于最终输出、智能体间消息和共享内存三个维度开展大规模实证评估。我们在涵盖医疗、金融、法律和企业领域的1000个场景中，使用五种生产级大语言模型（GPT-4o、GPT-4o-mini、Claude 3.5 Sonnet、Mistral Large和Llama 3.3 70B），结合4979条经过验证的执行轨迹发现：与单智能体基线相比，多智能体配置虽能减少最终输出泄露（C1：单智能体模式43.2% vs. 多智能体模式27.2%），但引入的内部通道将系统整体暴露风险提升至68.9%（C1、C2、C5聚合值）。智能体间消息（C2）泄露率达68.8%，而最终输出（C1）仅为27.2%，这意味着仅评估输出的审计会遗漏41.7%的违规行为。在所有五种模型和四个领域中，C2 ≥ C1的模式持续成立。这些结果表明，在所评估的协调者-工作者架构下，多智能体系统的隐私风险主要由架构级协调通道而非最终输出行为决定：风险源于标准输出层防御机制无法监测的内部通道。