This work addresses the vulnerability of sensitive information stored in the memory of large language model agents to query-based extraction attacks. To this end, the authors propose a systematic, adaptive query-driven attack framework that, for the first time, integrates data distribution estimation with an entropy-guided querying mechanism. By modeling the underlying data distribution within the target agent’s memory and dynamically optimizing queries to maximize information entropy, the method significantly enhances privacy leakage efficacy. Experimental evaluations demonstrate that the proposed approach achieves up to 100% attack success rates across multiple benchmarks, substantially outperforming state-of-the-art baselines and revealing critical weaknesses in current agent-level privacy safeguards.

Large Language Model (LLM) agents have achieved rapid adoption and demonstrated remarkable capabilities across a wide range of applications. To improve reasoning and task execution, modern LLM agents would incorporate memory modules or retrieval-augmented generation (RAG) mechanisms, enabling them to further leverage prior interactions or external knowledge. However, such a design also introduces a group of critical privacy vulnerabilities: sensitive information stored in memory can be leaked through query-based attacks. Although feasible, existing attacks often achieve only limited performance, with low attack success rates (ASR). In this paper, we propose ADAM, a novel privacy attack that features data distribution estimation of a victim agent's memory and employs an entropy-guided query strategy for maximizing privacy leakage. Extensive experiments demonstrate that our attack substantially outperforms state-of-the-art ones, achieving up to 100% ASRs. These results thus underscore the urgent need for robust privacy-preserving methods for current LLM agents.