daaain/devcontainer-security
Guide for setting up secured VS Code dev containers for coding agents. Use when creating or hardening a DevContainer to sandbox Claude Code or other coding agents, configuring Docker socket proxies, handling VS Code IPC escape vectors, setting up git worktree support, or verifying security controls. Covers threat model, three-layer defence architecture, Node.js/pnpm setup, and verification testing.
95
95%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Advisory
Suggest reviewing before use
Quality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is an excellent skill description that clearly defines a specific security-focused niche for DevContainer configuration. It provides comprehensive trigger terms, explicit 'Use when' guidance with multiple scenarios, and highly specific technical capabilities that distinguish it from general containerization or VS Code skills.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'setting up secured VS Code dev containers', 'configuring Docker socket proxies', 'handling VS Code IPC escape vectors', 'setting up git worktree support', 'verifying security controls'. Also mentions specific coverage areas like 'threat model, three-layer defence architecture, Node.js/pnpm setup'. | 3 / 3 |
Completeness | Clearly answers both what ('Guide for setting up secured VS Code dev containers') and when ('Use when creating or hardening a DevContainer to sandbox Claude Code or other coding agents, configuring Docker socket proxies...'). Has explicit 'Use when' clause with multiple trigger scenarios. | 3 / 3 |
Trigger Term Quality | Excellent coverage of natural terms users would say: 'DevContainer', 'sandbox', 'Claude Code', 'coding agents', 'Docker socket', 'VS Code', 'git worktree', 'security controls'. These are terms developers would naturally use when seeking this guidance. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive niche combining DevContainers + security + coding agents. The specific focus on 'Docker socket proxies', 'VS Code IPC escape vectors', and 'sandbox Claude Code' creates a clear, unique domain unlikely to conflict with general Docker or VS Code skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
87%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a well-structured skill with excellent conciseness and actionability. The documentation index and progressive disclosure are exemplary. The main weakness is workflow clarity - while the security controls are well-documented, the actual setup workflow lacks explicit verification checkpoints inline, requiring users to navigate to a separate document to confirm their setup is secure.
Suggestions
Add a brief inline verification checklist after Quick Start (e.g., '## Verify Setup: 1. Run `docker exec app cat /proc/1/status | grep Cap` - should show zeros 2. Try `sudo` - should fail') before pointing to VERIFICATION.md for comprehensive testing
Include the minimal docker-compose.yml inline in Quick Start rather than just referencing DOCKER-PROXY.md, since it's one of the 'three files needed'
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Content is lean and efficient - tables summarize controls without verbose explanations, threat model is crisp (3 bullet points), and the architecture diagram conveys complex information visually. No unnecessary explanations of what Docker or DevContainers are. | 3 / 3 |
Actionability | Provides complete, copy-paste ready devcontainer.json with specific environment variables and settings. The JSON is fully executable, not pseudocode, with inline comments explaining non-obvious choices. | 3 / 3 |
Workflow Clarity | Quick Start mentions 'three files are needed' but only provides one complete file, deferring the other two to sub-documents. The verification steps are entirely delegated to VERIFICATION.md rather than providing inline checkpoints to confirm security controls are working. | 2 / 3 |
Progressive Disclosure | Excellent structure with clear Documentation Index table providing one-level-deep references. Each sub-document is clearly signaled with its purpose. The main file serves as a proper overview with actionable quick start while appropriately splitting detailed content. | 3 / 3 |
Total | 11 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
Reviewed
Table of Contents