devcontainer-setup
Pass
Audited by Gen Agent Trust Hub on Mar 15, 2026
Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill parses project manifest files such as package.json and pyproject.toml to extract names and version requirements. This untrusted data is then interpolated into generated configuration files including the Dockerfile and devcontainer.json.
- Ingestion points: Project manifest files (package.json, pyproject.toml, Cargo.toml, go.mod) identified in SKILL.md.
- Boundary markers: No explicit markers or instructions are provided to the agent to ignore potentially malicious embedded instructions within the processed data.
- Capability inventory: The skill writes multiple files to the local filesystem and configures container execution with elevated NET_ADMIN capabilities.
- Sanitization: Employs slugification (lowercasing and character replacement) for project names, but lacks explicit validation for other extracted metadata such as tool version strings.
- [EXTERNAL_DOWNLOADS]: The skill configures devcontainers to fetch features from the GitHub Container Registry (ghcr.io) and incorporates plugins from well-known sources including Anthropics and Trail of Bits.
- [COMMAND_EXECUTION]: Generates a postCreateCommand that orchestrates the execution of shell commands and a Python-based setup script (post_install.py) to initialize the container environment.
Audit Metadata