docker-claude-code-setup Security Report — Low Risk | ClawSafe

22 /100

docker-claude-code-setup

Guide for setting up Claude Code in Docker containers with ttyd web terminal, tmux session persistence, acpx multi-agent tool, and API configuration

A legitimate Docker Claude Code deployment guide with documented shell execution and standard infrastructure tooling, but lacking explicit capability declarations and containing a few broad permission examples.

Skill Namedocker-claude-code-setup

Duration38.2s

Enginepi

✓

Safe to install

Add explicit permission declarations in SKILL.md (shell:WRITE, filesystem:WRITE, network:READ). Remove the wildcard Bash(**) permission pattern from example configs in documentation. Consider pinning npm package versions to specific versions rather than latest.

Findings 4 items

Severity	Finding	Location
Medium	Shell execution capabilities not declared in SKILL.md Doc Mismatch SKILL.md executes curl\|bash, apt-get, npm, pkill, nohup, and other shell commands but does not declare shell:WRITE in its allowed-tools mapping. The capability model requires explicit declarations. `curl -fsSL https://deb.nodesource.com/setup_20.x \| bash -` → Add 'shell:WRITE' to the allowed-tools declaration at the top of SKILL.md and document each shell command category.	`SKILL.md:21`
Medium	curl\|bash remote script execution pattern RCE SKILL.md uses the risky curl\|bash pattern to install Node.js from nodesource.com. While documented and standard practice, this pattern is a known high-risk indicator as it executes arbitrary remote code. `curl -fsSL https://deb.nodesource.com/setup_20.x \| bash -` → Consider pre-downloading the Node.js setup script, verifying its checksum, or using a package manager that handles this internally to reduce risk.	`SKILL.md:21`
Low	Wildcard Bash() permission pattern shown in example Doc Mismatch claude-code-installation.md:52 shows a settings.local.json example with 'Bash()' wildcard permission, which grants unrestricted shell execution. This is shown as a configuration example but could be copy-pasted by users. `"Bash(**)"` → Replace with least-privilege examples or add prominent warnings about the security implications of wildcard permissions.	`references/claude-code-installation.md:52`
Low	Filesystem WRITE to user home directory not declared Priv Escalation install-acpx.sh writes to ~/.acpx/config.json and start-ttyd.sh writes to ~/.tmux.conf without filesystem:WRITE being declared. `cat > ~/.acpx/config.json << 'EOF'` → Declare filesystem:WRITE in SKILL.md if home directory file writes are part of the skill's behavior.	`scripts/install-acpx.sh:28`

Resource	Declared	Inferred	Status	Evidence
Shell	`NONE`	`WRITE`	✓ Aligned	SKILL.md:21, SKILL.md:25, SKILL.md:32 — curl\|bash, apt-get, npm install, pkill, …
Filesystem	`NONE`	`WRITE`	✓ Aligned	install-acpx.sh:28, start-ttyd.sh:15 — writes ~/.tmux.conf, ~/.acpx/config.json …
Network	`NONE`	`READ`	✓ Aligned	SKILL.md:21, SKILL.md:25, start-ttyd.sh:43 — fetches from deb.nodesource.com, np…
Environment	`NONE`	`READ`	✓ Aligned	SKILL.md:68 — skill instructs users to export ANTHROPIC_API_KEY, exposing enviro…

1 Critical 10 findings

💀

Critical Dangerous Command 危险 Shell 命令

curl -fsSL https://deb.nodesource.com/setup_20.x | bash

SKILL.md:21

🔗

Medium External URL 外部 URL

https://deb.nodesource.com/setup_20.x

SKILL.md:21

🔗

Medium External URL 外部 URL

https://api.example.com/v1

SKILL.md:69

🔗

Medium External URL 外部 URL

http://HOST:6080

SKILL.md:103

🔗

Medium External URL 外部 URL

https://api.lkeap.cloud.tencent.com/coding/anthropic

references/api-configuration.md:10

🔗

Medium External URL 外部 URL

https://api.deepseek.com

references/api-configuration.md:11

🔗

Medium External URL 外部 URL

https://aip.baidubce.com/rpc/2.0/ai_custom/v1

references/api-configuration.md:12

🔗

Medium External URL 外部 URL

https://dashscope.aliyuncs.com/compatible-mode/v1

references/api-configuration.md:13

🔗

Medium External URL 外部 URL

https://api.example.com/anthropic

references/api-configuration.md:85

🔗

Medium External URL 外部 URL

http://YOUR_IP:6080

references/ttyd-tmux-setup.md:99

File Tree

7 files · 16.3 KB · 650 lines

Markdown 5f · 563L Shell 2f · 87L

├─ ▾ 📁 references

│ ├─ 📝 acpx-setup.md Markdown 86L · 1.3 KB

│ ├─ 📝 api-configuration.md Markdown 106L · 2.3 KB

│ ├─ 📝 claude-code-installation.md Markdown 101L · 1.7 KB

│ └─ 📝 ttyd-tmux-setup.md Markdown 101L · 1.9 KB

├─ ▾ 📁 scripts

│ ├─ 🔧 install-acpx.sh Shell 40L · 833 B

│ └─ 🔧 start-ttyd.sh Shell 47L · 1.0 KB

└─ 📝 SKILL.md Markdown 169L · 7.1 KB

Dependencies 2 items

Package	Version	Source	Known Vulns	Notes
`@anthropic-ai/claude-code`	`latest`	npm	No	Version not pinned in SKILL.md
`@anthropic-ai/acpx`	`latest`	npm	No	Version not pinned in SKILL.md

Security Positives

✓ All npm packages are from official @anthropic-ai and npmjs.com registries with no typosquatting detected

✓ No base64 encoding, obfuscation, or anti-analysis techniques found

✓ No credential harvesting, key exfiltration, or unauthorized data access observed

✓ Documentation explicitly includes security advice about not hardcoding API keys and using .env files

✓ API configuration examples reference legitimate providers (Anthropic, Tencent, DeepSeek, Baidu, Alibaba)

✓ No supply chain malicious dependency indicators found — no external scripts fetched at runtime

Scan Report

Findings 4 items

File Tree

Dependencies 2 items

Security Positives