Try the skill yourself
Overview
Microsoft Copilot Cowork is an agent that can operate on Skills and run code to help the user perform tasks with data from M365. When the agent runs code, it runs in a sandbox that is locked down from the internet - meaning that users cannot generally create Skills that access arbitrary external resources, such as unapproved AI.
However, the agent itself must be able to communicate with its servers. This opens the door for Skills to instruct Copilot Cowork to access AI models through the agent's own access path.
Here's where things get interesting: the agent can programmatically call models that are not directly accessible to the user, including models blocked at the organization level (verified for Deepseek and Mistral).
Because these calls run through the agent's own access path, the user does not even need an API key to run a Skill that uses these AI access paths - the authentication from the user's Copilot Cowork session automatically grants access models.
This creates a governance gap for organizations that have intentionally blocked models such as DeepSeek due to concerns about model poisoning or other risks.
How and Why DeepSeek Skills Can Enter Your Environment
Skills can be found online across hundreds of largely ungoverned Skill marketplaces or be created directly by users.
Furthermore, team members may share Skills. Users have the option to share their Skills org-wide by flipping a toggle in the Customize menu:
Common use cases for multi-modal workflows that can be encoded in Skills include leveraging multiple models to get varied opinions on a topic, or using multiple models to cross-validate each other's work. Users may also just want to use a model that isn't approved yet - a Skill can instruct Copilot Cowork to pass off questions to the other model and convey their responses.
These cases provide utility to the user, but sensitive data Cowork has access to, such as emails, Teams messages, and Drive documents, is being processed by these models.
Models Accessible to Copilot Cowork and Governance Gaps
Examining a model catalog from the Copilot Cowork environment, there are numerous models listed from providers, including Deepseek, Mistral, OpenAI, Anthropic, OpenRouter, Microsoft, with varying deployment options, including direct access through providers. However, it was noted that in practice, accessible models appeared to be limited to Azure deployments of DeepSeek, Mistral, and OpenAI models.
Regardless of Azure deployment, it is ambiguous what terms these models are operating under. Are organizations billed for Copilot Cowork invoking these models? Is this data being processed in accordance with the organization's consented terms?
Mistral: the admin opt-in for Mistral models is listed under 'AI providers for other large language models' and requires explicit consent to terms that state:
"you are electing to share your organization's data with Mistral and egress data from Microsoft. Your Microsoft customer agreements (including the Product Terms and Microsoft's Data Protection Addendum) do not apply to your use of Mistral services from within a Microsoft Online Service, and Microsoft's data residency, audit and compliance requirements, service level agreements, and Customer Copyright Commitment do not apply to your use of Mistral services. Some Mistral services may be offered under preview terms."
Based on these terms, it is unclear why Mistral is not listed under the settings for 'AI providers operating as Microsoft subprocessors'. Furthermore, as the observed accessible Mistral model appears to reside on Azure, when Copilot Cowork calls a Mistral model, it may be operating in a grey area - an undocumented, unintentional functionality.
Microsoft's Skill for Validating Skills Scores Model Use Low Risk
Microsoft Copilot Cowork comes with a built-in Skill for Skill management, including the validation and scoring of Skills for potential risks. It is trivially easy to satisfy this evaluation and obtain a report that states a Skill that invokes models is 'publication-ready'. For example, a 'multi-modal-email-triage' Skill and an 'ask-deepseek' Skill both scored as low risk, with a health score of 100. This is in part because the evaluation system treats model access as a read-only action and because it works through the user's existing authentication, avoiding the sensitive step of handling credentials directly.
Extras
- When using a skill to call models, users can set their own system prompt, bypassing guardrails.
- It is possible to access a Mistral model when an organization has not enabled Mistral.
