devcontainer-setup

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). The content intentionally weakens runtime security (enabling Claude "bypassPermissions"/dangerous flags), executes remote installers via curl|bash, and grants network and tooling capabilities (NET_ADMIN/NET_RAW, socat, iptables) plus mount-management and sudo-based ownership fixes — together these choices create a high-risk ability for remote access, data exfiltration, and supply-chain/backdoor abuse if abused.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's Dockerfile explicitly downloads and runs third-party installers (e.g., curl -fsSL https://claude.ai/install.sh in resources/Dockerfile) and adds marketplace plugins (claude plugin marketplace add ...), while resources/post_install.py sets Claude to "bypassPermissions", which means the agent in the devcontainer will fetch/execute and act on untrusted marketplace/plugin content that can change tool behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The Dockerfile and build steps fetch and execute remote install scripts at build/runtime (for example: curl -fsSL https://claude.ai/install.sh | bash, curl -fsSL https://fnm.vercel.app/install | bash, and curl -fsSL https://github.com/deluan/zsh-in-docker/releases/download/.../zsh-in-docker.sh which is executed), so these URLs provide required external content that runs remote code during the devcontainer setup.