← Back to Skills Marketplace
charlie-morrison

Devcontainer Validator

by charlie-morrison · GitHub ↗ · v1.0.0 · MIT-0
cross-platform ✓ Security Clean
126
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install devcontainer-validator
Description
Validate devcontainer.json files for syntax, structure, features, ports, lifecycle scripts, customizations, and security best practices in VS Code Dev Contai...
README (SKILL.md)

devcontainer-validator

Validate devcontainer.json files for VS Code Dev Containers, GitHub Codespaces, and DevPod.

What it does

Checks your devcontainer.json (JSONC — comments and trailing commas supported) for common mistakes across six areas:

  • Structure — required fields, conflicts between image/dockerFile/dockerComposeFile, unknown keys
  • Features — OCI reference format, duplicates, empty options
  • Ports & networking — forwardPorts format, port ranges, portsAttributes consistency
  • Lifecycle scripts — command types, empty commands, shell injection patterns
  • Customizations — VS Code extensions format, settings type, extension ID validation
  • Best practices — remoteUser, privileged mode, workspaceFolder, dangerous capabilities

Rules (24+)

Category Rules Examples
Structure (6) Invalid JSONC syntax, missing image source, unknown top-level keys, empty name, image+dockerFile conflict, dockerFile+compose conflict "image": "...", "dockerFile": "..." both set
Features (4) Invalid features format, feature ID not valid OCI ref, empty feature options, duplicate features "features": ["go"] (should be object)
Ports & networking (4) forwardPorts not array, invalid port numbers, port out of range, portsAttributes referencing unlisted ports "forwardPorts": [99999]
Lifecycle scripts (4) Invalid command type, empty commands, shell injection patterns, onCreateCommand usage hints "postCreateCommand": ""
Customizations (3) extensions not array of strings, invalid extension ID format, settings not object "extensions": [123]
Best practices (3+) Missing remoteUser (root warning), privileged: true, missing workspaceFolder, dangerous capAdd entries "capAdd": ["SYS_ADMIN"]

Output formats

  • text — human-readable with severity tags ([E] [W] [I])
  • json — structured with summary counts
  • summary — one-line PASS/WARN/FAIL

Exit codes

  • 0 — no errors (warnings/info allowed)
  • 1 — errors found (or --strict with any issue)
  • 2 — file not found or parse error

Commands

validate

Full validation of all rules.

python3 scripts/devcontainer_validator.py validate devcontainer.json
python3 scripts/devcontainer_validator.py validate --format json .devcontainer/devcontainer.json
python3 scripts/devcontainer_validator.py validate --strict devcontainer.json

structure

Validate only structure rules (required fields, conflicts, unknown keys).

python3 scripts/devcontainer_validator.py structure devcontainer.json

features

Validate only the features section.

python3 scripts/devcontainer_validator.py features devcontainer.json

security

Validate only security-related rules (privileged, capAdd, shell injection, remoteUser).

python3 scripts/devcontainer_validator.py security --strict devcontainer.json

Options

Option Values Default Description
--format text, json, summary text Output format
--min-severity error, warning, info info Filter by minimum severity
--strict flag off Exit 1 on any issue

Requirements

  • Python 3.8+ (pure stdlib, no dependencies)

Examples

# Quick check
python3 scripts/devcontainer_validator.py validate devcontainer.json

# CI pipeline
python3 scripts/devcontainer_validator.py validate --strict --format summary devcontainer.json

# Security audit only
python3 scripts/devcontainer_validator.py security --format json devcontainer.json

# Filter noise
python3 scripts/devcontainer_validator.py validate --min-severity warning devcontainer.json
Usage Guidance
This skill appears to be a straightforward, local devcontainer.json validator implemented in pure Python and is coherent with its documentation. Before installing or running it in sensitive environments: (1) review the complete scripts/devcontainer_validator.py file (the provided source was truncated here) to confirm there are no unexpected network calls, subprocess.exec calls, or telemetry; (2) run it on sample files locally or in an isolated CI container; and (3) if you plan to give it access to repositories or pipeline artifacts, ensure those environments have least privilege. If you can provide the missing portion of the script, I can raise the confidence to high after reviewing it in full.
Capability Analysis
Type: OpenClaw Skill Name: devcontainer-validator Version: 1.0.0 The devcontainer-validator skill is a utility for linting and validating VS Code devcontainer.json files. The core logic in scripts/devcontainer_validator.py is written in pure Python without external dependencies and focuses on identifying structural errors, security risks (like privileged mode or dangerous capabilities), and suspicious shell patterns in lifecycle scripts. No evidence of data exfiltration, malicious execution, or prompt injection was found.
Capability Assessment
Purpose & Capability
The name/description (devcontainer.json validation) matches the included SKILL.md and the Python script: the validator implements structure, features, ports, lifecycle, customizations, and best-practice checks. Required binaries/env/configs are none, which is proportionate for a local linter.
Instruction Scope
Runtime instructions only tell the agent to run the included script against a devcontainer.json file and to use flags like --format/--strict; SKILL.md does not direct reading unrelated files, collecting secrets, or posting results to external endpoints.
Install Mechanism
No install spec (instruction-only plus an included Python script). The script targets Python 3.8+ and uses only stdlib imports (argparse, json, os, re, sys), which matches the SKILL.md claim; nothing is downloaded or written outside running the script.
Credentials
The skill declares no required environment variables, credentials, or config paths and the visible code does not access external secrets. This is appropriate for a local validation tool.
Persistence & Privilege
The skill is not force-included (always: false) and does not request persistent or cross-skill configuration. Autonomous invocation is allowed by default but not combined with other privilege concerns.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install devcontainer-validator
  3. After installation, invoke the skill by name or use /devcontainer-validator
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
- Initial release: validate devcontainer.json files for VS Code Dev Containers, GitHub Codespaces, and DevPod. - Checks across structure, features, ports/networking, lifecycle scripts, customizations, and best practices. - Enforces 24+ rules for common errors and security risks, with clear rule breakdowns per category. - Supports output formats: text, JSON, and single-line summary, with customizable severity filtering. - Dedicated commands for full validation, structure-only, features-only, and security-focused checks. - Exit codes indicate success, errors found, or file/parse issues. - Requires only Python 3.8+ with no external dependencies.
Metadata
Slug devcontainer-validator
Version 1.0.0
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is Devcontainer Validator?

Validate devcontainer.json files for syntax, structure, features, ports, lifecycle scripts, customizations, and security best practices in VS Code Dev Contai... It is an AI Agent Skill for Claude Code / OpenClaw, with 126 downloads so far.

How do I install Devcontainer Validator?

Run "/install devcontainer-validator" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Devcontainer Validator free?

Yes, Devcontainer Validator is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Devcontainer Validator support?

Devcontainer Validator is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Devcontainer Validator?

It is built and maintained by charlie-morrison (@charlie-morrison); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments