vscode-docs icon indicating copy to clipboard operation
vscode-docs copied to clipboard
verified publisher icon microsoft

Be more clear about restricted mode/workspace trust

Open Tyriar opened this issue 2 months ago • 3 comments

I tried to get a link that explains details about workspace trust and the best there seems to be is the line item in https://code.visualstudio.com/docs/copilot/security#_user-responsibilities-and-best-practices

Open new codebases in restricted mode: Until you've reviewed a project for malicious code like watch tasks or scripts, rely on the Workspace Trust boundary and open it in restricted mode. Opening a workspace in restricted mode also disables agent mode in that workspace.

I think we should change it to something like this:

Open untrusted/foreign codebases in restricted mode: Until you've reviewed a project for malicious code, rely on the Workspace Trust boundary and open it in restricted mode. Opening a workspace in restricted mode also disables agent mode in that workspace. Remember any file could be pulled into the context by agent mode so any file could theoretically cause a prompt injection attack.

Tyriar avatar Oct 22 '25 21:10 Tyriar

@Tyriar What about the content here: https://code.visualstudio.com/docs/editing/workspaces/workspace-trust ? Or are you specifically looking for workspace trust irt agents?

ntrogh avatar Oct 22 '25 21:10 ntrogh

We should have a statement about how it related to agent mode. We mention restricted mode disables agent mode, but not that any file can cause problems when in agent mode as they could be pulled in automatically via tool calls which happens by design without user approval.

Tyriar avatar Oct 22 '25 21:10 Tyriar

Hi! I'd like to work on this documentation improvement. I can update the wording to make it clearer about workspace trust for untrusted/foreign codebases. I'll submit a PR soon.

Navadeep0007 avatar Nov 12 '25 14:11 Navadeep0007

I think there is still a small but important gap after #9050.

While restricted mode disabling agent mode is mentioned, the docs don’t explicitly state why this matters from a security perspective.

It would be valuable to add a short note explaining that when agent mode is enabled, files can be automatically pulled into context via tool calls by design, without explicit user approval. This means that any file in an untrusted workspace could theoretically participate in prompt injection or context poisoning.

Making this relationship explicit (Workspace Trust → Agent Mode → automatic context extraction) would help users better understand the risk model and why opening untrusted codebases in restricted mode is strongly recommended.

DakotaB75 avatar Dec 20 '25 15:12 DakotaB75