Problem
grep for skill.*trust\|mcp.*trust\|verify.*manifest\|sha256 in crates/tui/src/skills.rs and crates/tui/src/mcp.rs returns nothing. Today:
- Skills at
~/.deepseek/skills/<name>/SKILL.md are loaded and their instructions injected into the system prompt with no verification. A malicious skill installed via git clone or a copy-paste from the internet can silently inject prompts the user never reviewed.
- MCP servers at
~/.deepseek/mcp.json spawn arbitrary subprocesses with the user's full filesystem access. No hash check, no first-use prompt, no audit entry on first activation.
For any user running this on machines where they execute untrusted code (most devs), this is the most reachable attack surface.
Fix
Trust-on-first-use (TOFU) model, persisted at ~/.deepseek/trust.json:
{
"skills": {
"my-skill": { "manifest_sha256": "abc123...", "trusted_at": "2026-05-02T..." }
},
"mcp_servers": {
"github": { "command_sha256": "def456...", "trusted_at": "2026-05-02T..." }
}
}Skills
- On load, hash
SKILL.md (and any referenced files in the skill dir).
- If new skill or hash changed: prompt the user to review-and-trust before activation.
- Show diff vs trusted version on hash change ("this skill changed since you last trusted it").
- Audit entry written on every trust grant.
MCP
- Hash
command + args + env on load.
- New entry or changed hash: prompt before first invocation in the session.
- Show what command will run.
- Audit entry written on trust grant.
- Optional
trust_always = true flag in mcp.json skips the prompt for users who manage trust externally.
Companion: trust subcommand
deepseek trust list — show what's trusted.deepseek trust revoke <name> — drop trust.deepseek trust verify — re-hash everything and report drift.
Acceptance criteria
Problem
grepforskill.*trust\|mcp.*trust\|verify.*manifest\|sha256incrates/tui/src/skills.rsandcrates/tui/src/mcp.rsreturns nothing. Today:~/.deepseek/skills/<name>/SKILL.mdare loaded and their instructions injected into the system prompt with no verification. A malicious skill installed viagit cloneor a copy-paste from the internet can silently inject prompts the user never reviewed.~/.deepseek/mcp.jsonspawn arbitrary subprocesses with the user's full filesystem access. No hash check, no first-use prompt, no audit entry on first activation.For any user running this on machines where they execute untrusted code (most devs), this is the most reachable attack surface.
Fix
Trust-on-first-use (TOFU) model, persisted at
~/.deepseek/trust.json:{ "skills": { "my-skill": { "manifest_sha256": "abc123...", "trusted_at": "2026-05-02T..." } }, "mcp_servers": { "github": { "command_sha256": "def456...", "trusted_at": "2026-05-02T..." } } }Skills
SKILL.md(and any referenced files in the skill dir).MCP
command + args + envon load.trust_always = trueflag inmcp.jsonskips the prompt for users who manage trust externally.Companion: trust subcommand
deepseek trust list— show what's trusted.deepseek trust revoke <name>— drop trust.deepseek trust verify— re-hash everything and report drift.Acceptance criteria
~/.deepseek/trust.jsonschema with skills + mcp_servers maps.deepseek trust list/revoke/verifysubcommands.docs/SECURITY.md(new file) explaining the model.