See the Skill for yourself
Overview
Microsoft Copilot Cowork is an agent that can operate on Skills and run code to help the user perform tasks with data from M365. When the agent runs code, it runs in a sandbox that is locked down from the internet - meaning that users cannot generally create Skills that access arbitrary external resources, such as unapproved AI.
However, the agent itself must be able to communicate with its servers. This opens the door for Skills to instruct Copilot Cowork to access AI models through the agent's own access path.
Here's where things get interesting: the agent can programmatically call models that are not directly accessible to the user, including models blocked at the organization level (verified for Deepseek and Mistral).
Because these calls run through the agent's own access path, the user does not even need an API key to run a Skill that uses these AI access paths - the authentication from the user's Copilot Cowork session automatically grants access to models.
This creates a governance gap for organizations that have intentionally blocked models such as DeepSeek due to concerns about model poisoning or other risks.
Microsoft's Skill Scanner Scores It A Perfect 100
Microsoft Copilot Cowork comes with a built-in Skill for Skill management, which validates and scores Skills for potential risks.
The 'multi-modal-email-triage' Skill that calls DeepSeek was given a perfect score of 100 with a 'low risk' security rating.
Fun Fact - the security scan portion of the built-in validator references PromptArmor research in a code comment:
[security_scan.py] includes a "scan of SKILL.md, references/ prose files, and the raw text of bundled code for the attack class behind issue #11495 (PromptArmor): instruction-override phrasing, hidden exfiltration beacons (external image/img URLs that browsers fetch on render)..."
How and Why DeepSeek Skills Can Enter Your Environment
Skills can be found online across hundreds of largely ungoverned Skill marketplaces or be created directly by users.
Furthermore, team members may share Skills. Users have the option to share their Skills org-wide by flipping a toggle in the Customize menu:
Common use cases for multi-modal workflows that can be built into Skills include leveraging multiple models to get varied opinions on a topic or using multiple models to cross-validate each other's work. Users may also just want to use a model that isn't approved yet - a Skill can instruct Copilot Cowork to pass off questions to the other model and convey their responses.
These cases provide utility to the user, but sensitive data Cowork has access to, such as emails, Teams messages, and Drive documents, is being processed by these models.
Models Accessible to Copilot Cowork and Governance Gaps
Examining a model catalog from the Copilot Cowork environment, there are numerous models listed from providers, including Deepseek, Mistral, OpenAI, Anthropic, OpenRouter, Microsoft, with varying deployment options, including direct access through providers. However, it was noted that in practice, accessible models appeared to be limited to Azure deployments of DeepSeek, Mistral, and OpenAI models.
Regardless of Azure deployment, it is ambiguous what terms these models are operating under. Are organizations billed for Copilot Cowork invoking these models? Is this data being processed in accordance with the organization's consented terms?
To exemplify the ambiguity: the admin opt-in for Mistral models is listed under 'AI providers for other large language models' and requires explicit consent to terms that state:
"you are electing to share your organization's data with Mistral and egress data from Microsoft. Your Microsoft customer agreements (including the Product Terms and Microsoft's Data Protection Addendum) do not apply to your use of Mistral services from within a Microsoft Online Service, and Microsoft's data residency, audit and compliance requirements, service level agreements, and Customer Copyright Commitment do not apply to your use of Mistral services. Some Mistral services may be offered under preview terms."
Based on these terms, it is unclear why Mistral is not listed under settings for 'AI providers operating as Microsoft subprocessors'.
However, even the unclear terms above do not seem to map to the case of Copilot Cowork invoking Mistral, as the observed accessible Mistral model appears to reside on Azure.
When Copilot Cowork calls a model, it appears to be operating in a grey area - an undocumented, unintentional functionality.
Skills can Set a System Prompt, Bypassing Guardrails
When Copilot Cowork directly invokes a model through a Skill, the user gains full control over the system prompt being sent with their query.
Below, Copilot Cowork invokes other models with a user-controlled system prompt, allowing the user to make queries that would otherwise be blocked by Copilot Cowork's guardrails.
Edit June 25th: DeepSeek Setting Removed; Model Still Accessible via Skills
As of Thursday, June 25th, Microsoft has removed the DeepSeek Preview access setting from the Microsoft Admin Center. There does not appear to be an alternative setting for managing DeepSeek access.
Copilot Cowork can still call DeepSeek through Skills. There currently seems to be no way for admins to disable DeepSeek access through the Copilot Cowork code environment. Note: This does not mean users can choose DeepSeek as the model they use in the normal model selector.
The only governance option left for administrators to prevent DeepSeek access appears to be disabling Copilot Cowork entirely via:
Microsoft 365 Admin Center > Agents > Cowork > Users > Available To > Select: No Users