feat(code): in-the-moment trust prompt for symlinked skills#4200
Merged
Conversation
Add an MCP-trust-style approval flow for skills whose SKILL.md resolves outside trusted skill directories. Instead of a hard PermissionError, the TUI prompts once to allow the resolved target directory, persists the decision to ~/.deepagents/.state/skill_trust.json, and retries. Adds `skills trust list|revoke|clear` to audit and revoke approvals. Co-authored-by: open-swe[bot] <open-swe@users.noreply.github.com>
Mason Daugherty (mdrxy)
marked this pull request as ready for review
June 24, 2026 03:50
Contributor
There was a problem hiding this comment.
Security Issues
- Symlink Trust Bypass
Persisted skill trust entries are resolved again when they are added to the containment roots. If a previously approved directory path is later replaced with a symlink to a different location, the next launch can silently trust the new resolved target without showing the trust prompt, allowing a malicious skill symlink to read files from that new location as skill content.
Stored skill trust entries are the canonical directory approved by the user, but discover_skills_and_roots re-resolved them before adding to the containment allowlist. A post-approval symlink swap of the stored path (or a parent) would silently allowlist a different target without re-prompting. Verify each entry still resolves to itself and add the stored canonical path as-is instead of re-resolving. Co-authored-by: open-swe[bot] <open-swe@users.noreply.github.com>
Restore status.py, test_status.py, version files (0.1.32), CHANGELOG, release-please-manifest, and lockfiles to match main. These were unintended regressions carried in by main merge commits.
Mason Daugherty (mdrxy)
requested a review
from John Kennedy (jkennedyvz)
as a code owner
July 6, 2026 07:16
Mason Daugherty (mdrxy)
added a commit
that referenced
this pull request
Jul 6, 2026
> [!CAUTION] > Merging this PR will automatically publish to **PyPI** and create a **GitHub release**. For the full release process, see [`.github/RELEASING.md`](https://github.com/langchain-ai/deepagents/blob/main/.github/RELEASING.md). --- _Everything below this line will be the GitHub release body._ --- ## [0.1.33](deepagents-code==0.1.32...deepagents-code==0.1.33) (2026-07-06) ### Features * In-the-moment trust prompt for symlinked skills ([#4200](#4200)) ([a4431e4](a4431e4)) * Selective per-server project MCP trust ([#4507](#4507)) ([aaa22a9](aaa22a9)) * Add `dcode tools list` command ([#4461](#4461)) ([1402d0e](1402d0e)) ### Bug Fixes * Strip media placeholders from model-facing message text ([#4462](#4462)) ([aa0ae36](aa0ae36)) * Re-apply theme preference on `/reload` ([#4514](#4514)) ([5d1c392](5d1c392)) --- _Everything above this line will be the GitHub release body._ --- > [!NOTE] > A **New Contributors** section is appended to the GitHub release notes automatically at publish time (see [Release Pipeline](https://github.com/langchain-ai/deepagents/blob/main/.github/RELEASING.md#release-pipeline), step 2). --------- Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Mason Daugherty <github@mdrxy.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Skills whose
SKILL.mdresolves outside trusted directories (e.g. via a symlink) can now be approved in the moment via a trust prompt, instead of requiring a quit-and-relaunch to edit config. Approved directories are persisted to~/.deepagents/.state/skill_trust.jsonand can be audited or revoked withdcode skills trust list|revoke|clear.Today, invoking a skill whose
SKILL.mdresolves (via symlink) outside every trusted skill root fails hard with aPermissionError, and the only way to proceed is to quit, setDEEPAGENTS_CODE_EXTRA_SKILLS_DIRS/[skills].extra_allowed_dirs, and relaunch. This adds an in-the-moment approval flow modeled on the existing project-level MCP trust screen.When containment fails, the TUI shows a
SkillTrustScreennaming the skill and the resolved target directory. Allowing reads the skill immediately, persists the resolved target directory to a new trust store at~/.deepagents/.state/skill_trust.json(managed byskills/trust.py, mirroringmcp_trust.py), and extends the in-session containment allowlist. Denying is safe and is remembered for the rest of the session so the user is not re-nagged. The non-interactive (-x) path keeps the existing hard-fail + hint.Trust is keyed by the resolved target directory — the canonical path shown to the user at approval time, stored as-is and never re-resolved. Two distinct post-approval symlink swaps are caught by two distinct layers, so neither grants access the user never approved:
SKILL.mdpath) at a new target is caught by containment enforcement inload_skill_content: the new target is not on the allowlist, so the read is refused and the user is re-prompted. The stored trust entry — the original resolved target — is untouched.resolve()-to-self re-verification inload_trusted_skill_dirs, which drops the stale entry rather than following the injected symlink to a directory the user never approved.Persisted approvals join the containment roots in
discover_skills_and_roots, so they apply on subsequent launches.skills trust list|revoke|clearlets users audit and revoke approved directories; the declarativeextra_allowed_dirs/ env allowlist still works unchanged as the permanent path.