devcontainer-setup

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). The skill intentionally weakens assistant safety controls (sets Claude to bypass permissions and provides a convenience alias to skip permissions), installs remote code via curl|bash, grants container NET_ADMIN/NET_RAW capabilities and networking tools (socat, iptables, ipset), and persists command history and assistant config—together these deliberate choices substantially increase the risk of data exfiltration, remote actions, and supply-chain abuse.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's Dockerfile and build steps explicitly fetch and execute public third-party content (e.g., "RUN curl -fsSL https://claude.ai/install.sh | bash" and downloading GitHub releases) and add marketplace plugins (claude plugin marketplace add anthropics/skills, trailofbits/skills), and post_install.py sets Claude to "bypassPermissions"—together these required workflow steps cause the agent to ingest and act on untrusted third-party content that can influence its behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The Dockerfile performs a runtime curl | bash on https://claude.ai/install.sh (and then installs marketplace plugins), which fetches and executes remote code during container build and installs an agent + plugins that can control prompts, and the devcontainer template depends on Claude Code—so this is a required, executable remote dependency.