- The paper identifies compositional behavioral leakage (CBL) as a systematic interference where irrelevant semantic edits in one module affect unrelated modules.
- It employs an empirical protocol with volume, content, and form perturbation channels to measure shifts in cv-match scores, notably with Cohen's d=0.63 in the content channel.
- The study highlights practical implications for auditing reliability in prompt-composed systems, calling for robust mitigation strategies against sub-threshold behavioral drift.
Instruction Bleed: Cross-Module Interference in Prompt-Composed Agentic Systems
Introduction
This paper addresses a failure mode intrinsic to prompt-composed agentic systems, specifically the phenomenon termed "compositional behavioral leakage" (CBL). CBL is defined as cross-module interference: changes or additions to one prompt module silently and systematically altering the behavior of unrelated modules within the same context window, despite no overt dependency or variable sharing. The underlying architectural cause is the lack of isolation among modules concatenated in an LLM's input, with transformer self-attention permitting unrestricted cross-token influence. The work targets a growing class of agentic systems assembled at runtime from human-authored prompt modules, which encode policy, workflow, and decision logic in text for LLM interpretation.
Theoretical Framework and Distinguishing CBL
The central claim is that the assumption of modular compositionality in these systems is unwarranted—transformer-based LLMs do not enforce any formal boundary between concatenated prompt modules. As a result, behavior is not a simple function of module-wise logic, but is emergent from the global attention mechanism. CBL is positioned orthogonally to well-studied agent failure axes: it is distinct from adversarial prompt injection, longitudinal cognitive degradation, privacy leakage, and fault propagation in multi-agent settings.
The paper formalizes CBL as the existence of a significant paired shift in a focal module's behavior after a semantically irrelevant edit to another module, quantified by the expected change in observable outputs. This constructs a rigorous foundation for both identifying and measuring CBL.
Empirical Validation: Protocol and Results
A practical probe of CBL is conducted within the "career-ops" job-evaluation agent, which is constructed in the prompt-composed paradigm. The experimental protocol introduces three perturbation channels affecting non-focal modules: volume (addition of a large, unrelated module), content (addition of an irrelevant semantic archetype), and form (meaning-preserving structural format changes). The focal metric is the "cv-match" score, representing alignment between candidate background and job requirements.
The most significant finding is observed in the content perturbation channel (C2): adding a semantically irrelevant "Professional Chef" archetype to the rules module yields a measurable shift in cv-match scores, with Cohen's d=0.63 and a bootstrap 95% confidence interval [+0.03,+0.31]—explicitly excluding zero. By contrast, neither volume nor format perturbations yielded statistically significant effects, localizing the interference to changes in semantic content rather than generic context growth or formatting. No score threshold crossings (recommendation flips) occurred, delimiting the result to "sub-threshold drift." This regime is invisible to standard QA protocols, which focus on discrete decisions, but can systematically bias aggregate outcomes in deployed agentic systems.
Mechanisms Underlying CBL
Four architectural properties underpin CBL:
- Global self-attention: No architectural constraint limits token interactions by module boundary or delimiter convention.
- Proactive interference: Prior context—regardless of semantic content—can degrade performance on subsequent modules via memory limits, as shown in (Wang et al., 9 Jun 2025).
- Coverage limitations: Compositional generalization is bounded by the coverage of module combinations in pre-training, leading to unpredictable behavior for novel combinations (see (Chang et al., 26 May 2025)).
- Prompt sensitivity: Behavioral responses are highly sensitive not only to semantic content but also to format and syntactic conventions, as established in (Sclar et al., 2023).
These properties collectively render delimiter-based (conventional) isolation a behavioral expectation, not an enforceable guarantee.
Implications for Deployed Systems
The primary practical risk is persistent, silent unreliability: as prompt modules are edited or extended—often by distributed communities—behavioral drift accumulates in unmonitored ways. Sub-threshold drifts, though insufficient to trigger recommendation flips individually, can bias ranking and aggregation in downstream systems. The result is a challenging auditing problem for reliability and fairness in any application domain where score-based outputs influence consequential decisions.
This has profound implications for testing and evaluation. Exhaustive pairwise or higher-order interaction testing is infeasible at the scale of repositories like OpenClaw, which may aggregate tens of thousands of composable modules. Instead, the paper advocates for regression protocols sampling across interaction spectra and highlights the necessity of re-evaluation under model migration.
Distinction from Adjacent Work and Theoretical Positioning
The study delineates CBL from adjacent failure modes (e.g., adversarial injection (Debenedetti et al., 2024), cognitive degradation (Atta et al., 21 Jul 2025), privacy leakage (Patil et al., 16 Sep 2025)) and from modular prompting approaches dependent on hard isolation at the API or mathematical level ((Khot et al., 2022), [2022.emnlp-main.109], [2023/460], [aaai.v39i16.33804]). It also situates CBL within limitations found in broader compositional generalization research ([yu2024skillmix], [dziri2023faith]).
The operational protocol introduced—three-channel perturbation along volume, content, and form—offers a reusable framework with falsifiable predictions for replication and systematization in future work. The predictions encompass model-level variation, semantic-distance sensitivity, and intervention-magnitude scaling.
Prospects for Future Research and Mitigation
Outstanding questions include the potential for architectural or pre-processing interventions that could realize robust prompt-module isolation—such as explicit scoped attention or modular caching. Alternatively, the prospect exists that the global attention mechanism of transformers precludes reliable text-level isolation altogether, requiring fundamental rethinking of agent design at scale. Extending the CBL protocol to multimodal and web-integrated agentic settings represents an open avenue for generalizing both failure modes and mitigation frameworks.
Conclusion
This study establishes compositional behavioral leakage as a measurable and practically relevant failure mode in prompt-composed agentic systems. The findings invalidate assumptions of modular compositionality under unconstrained transformer self-attention, revealing systematic, sub-threshold behavioral shifts from localized, semantically irrelevant prompt edits. The operational framework and empirical protocol provided set the stage for systematic evaluation and further research into architectural and protocol-level mitigations, establishing cross-module interference measurement as essential for reliable prompt-composed agent evaluation (2606.26356).