The Agent Skills Directory

[Data Exposure & Exfiltration] (HIGH): The skill targets sensitive host configuration directories.
The devcontainer.json template creates a bind mount from ${localEnv:HOME}/.claude to /root/.claude inside the container. This directory typically contains agent history, session data, and configurations.
This exposure allows any process within the container (running as root) to access or modify the user's primary AI agent configurations.
[Persistence Mechanisms] (MEDIUM): The generated setup.sh script performs permanent modifications to the host environment via the bind mount.
It removes existing items and creates new symlinks in the host's ~/.claude directory for rules, commands, agents, and skills.
This allows the container's setup process to potentially hijack or redirect the host agent's logic and behavior.
[Command Execution] (MEDIUM): The skill generates shell scripts and Dockerfiles that execute user-provided or environment-derived commands.
Variables like {{INSTALL_COMMAND}} and {{PROJECT_DIR}} are interpolated directly into setup.sh and Dockerfile without escaping or validation.
[Indirect Prompt Injection] (LOW): The skill has a significant attack surface for indirect injection.
Ingestion points: User inputs gathered via AskUserQuestion (Project Name, Extensions, Custom Image).
Boundary markers: None identified in templates; variables are injected directly into code blocks.
Capability inventory: Subprocess execution (npm install, ln -sf, rm), file writing (creating .devcontainer files), and network operations (npm install).
Sanitization: None; values provided in natural language context are treated as trusted path components and shell tokens.

devcontainer-setup