← 返回 Skills 市场
Devcontainer Validator
作者
charlie-morrison
· GitHub ↗
· v1.0.0
· MIT-0
126
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install devcontainer-validator
功能描述
Validate devcontainer.json files for syntax, structure, features, ports, lifecycle scripts, customizations, and security best practices in VS Code Dev Contai...
使用说明 (SKILL.md)
devcontainer-validator
Validate devcontainer.json files for VS Code Dev Containers, GitHub Codespaces, and DevPod.
What it does
Checks your devcontainer.json (JSONC — comments and trailing commas supported) for common mistakes across six areas:
- Structure — required fields, conflicts between image/dockerFile/dockerComposeFile, unknown keys
- Features — OCI reference format, duplicates, empty options
- Ports & networking — forwardPorts format, port ranges, portsAttributes consistency
- Lifecycle scripts — command types, empty commands, shell injection patterns
- Customizations — VS Code extensions format, settings type, extension ID validation
- Best practices — remoteUser, privileged mode, workspaceFolder, dangerous capabilities
Rules (24+)
| Category | Rules | Examples |
|---|---|---|
| Structure (6) | Invalid JSONC syntax, missing image source, unknown top-level keys, empty name, image+dockerFile conflict, dockerFile+compose conflict | "image": "...", "dockerFile": "..." both set |
| Features (4) | Invalid features format, feature ID not valid OCI ref, empty feature options, duplicate features | "features": ["go"] (should be object) |
| Ports & networking (4) | forwardPorts not array, invalid port numbers, port out of range, portsAttributes referencing unlisted ports | "forwardPorts": [99999] |
| Lifecycle scripts (4) | Invalid command type, empty commands, shell injection patterns, onCreateCommand usage hints | "postCreateCommand": "" |
| Customizations (3) | extensions not array of strings, invalid extension ID format, settings not object | "extensions": [123] |
| Best practices (3+) | Missing remoteUser (root warning), privileged: true, missing workspaceFolder, dangerous capAdd entries | "capAdd": ["SYS_ADMIN"] |
Output formats
- text — human-readable with severity tags ([E] [W] [I])
- json — structured with summary counts
- summary — one-line PASS/WARN/FAIL
Exit codes
0— no errors (warnings/info allowed)1— errors found (or--strictwith any issue)2— file not found or parse error
Commands
validate
Full validation of all rules.
python3 scripts/devcontainer_validator.py validate devcontainer.json
python3 scripts/devcontainer_validator.py validate --format json .devcontainer/devcontainer.json
python3 scripts/devcontainer_validator.py validate --strict devcontainer.json
structure
Validate only structure rules (required fields, conflicts, unknown keys).
python3 scripts/devcontainer_validator.py structure devcontainer.json
features
Validate only the features section.
python3 scripts/devcontainer_validator.py features devcontainer.json
security
Validate only security-related rules (privileged, capAdd, shell injection, remoteUser).
python3 scripts/devcontainer_validator.py security --strict devcontainer.json
Options
| Option | Values | Default | Description |
|---|---|---|---|
--format |
text, json, summary | text | Output format |
--min-severity |
error, warning, info | info | Filter by minimum severity |
--strict |
flag | off | Exit 1 on any issue |
Requirements
- Python 3.8+ (pure stdlib, no dependencies)
Examples
# Quick check
python3 scripts/devcontainer_validator.py validate devcontainer.json
# CI pipeline
python3 scripts/devcontainer_validator.py validate --strict --format summary devcontainer.json
# Security audit only
python3 scripts/devcontainer_validator.py security --format json devcontainer.json
# Filter noise
python3 scripts/devcontainer_validator.py validate --min-severity warning devcontainer.json
安全使用建议
This skill appears to be a straightforward, local devcontainer.json validator implemented in pure Python and is coherent with its documentation. Before installing or running it in sensitive environments: (1) review the complete scripts/devcontainer_validator.py file (the provided source was truncated here) to confirm there are no unexpected network calls, subprocess.exec calls, or telemetry; (2) run it on sample files locally or in an isolated CI container; and (3) if you plan to give it access to repositories or pipeline artifacts, ensure those environments have least privilege. If you can provide the missing portion of the script, I can raise the confidence to high after reviewing it in full.
功能分析
Type: OpenClaw Skill
Name: devcontainer-validator
Version: 1.0.0
The devcontainer-validator skill is a utility for linting and validating VS Code devcontainer.json files. The core logic in scripts/devcontainer_validator.py is written in pure Python without external dependencies and focuses on identifying structural errors, security risks (like privileged mode or dangerous capabilities), and suspicious shell patterns in lifecycle scripts. No evidence of data exfiltration, malicious execution, or prompt injection was found.
能力评估
Purpose & Capability
The name/description (devcontainer.json validation) matches the included SKILL.md and the Python script: the validator implements structure, features, ports, lifecycle, customizations, and best-practice checks. Required binaries/env/configs are none, which is proportionate for a local linter.
Instruction Scope
Runtime instructions only tell the agent to run the included script against a devcontainer.json file and to use flags like --format/--strict; SKILL.md does not direct reading unrelated files, collecting secrets, or posting results to external endpoints.
Install Mechanism
No install spec (instruction-only plus an included Python script). The script targets Python 3.8+ and uses only stdlib imports (argparse, json, os, re, sys), which matches the SKILL.md claim; nothing is downloaded or written outside running the script.
Credentials
The skill declares no required environment variables, credentials, or config paths and the visible code does not access external secrets. This is appropriate for a local validation tool.
Persistence & Privilege
The skill is not force-included (always: false) and does not request persistent or cross-skill configuration. Autonomous invocation is allowed by default but not combined with other privilege concerns.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install devcontainer-validator - 安装完成后,直接呼叫该 Skill 的名称或使用
/devcontainer-validator触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
- Initial release: validate devcontainer.json files for VS Code Dev Containers, GitHub Codespaces, and DevPod.
- Checks across structure, features, ports/networking, lifecycle scripts, customizations, and best practices.
- Enforces 24+ rules for common errors and security risks, with clear rule breakdowns per category.
- Supports output formats: text, JSON, and single-line summary, with customizable severity filtering.
- Dedicated commands for full validation, structure-only, features-only, and security-focused checks.
- Exit codes indicate success, errors found, or file/parse issues.
- Requires only Python 3.8+ with no external dependencies.
元数据
常见问题
Devcontainer Validator 是什么?
Validate devcontainer.json files for syntax, structure, features, ports, lifecycle scripts, customizations, and security best practices in VS Code Dev Contai... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 126 次。
如何安装 Devcontainer Validator?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install devcontainer-validator」即可一键安装,无需额外配置。
Devcontainer Validator 是免费的吗?
是的,Devcontainer Validator 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Devcontainer Validator 支持哪些平台?
Devcontainer Validator 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Devcontainer Validator?
由 charlie-morrison(@charlie-morrison)开发并维护,当前版本 v1.0.0。
推荐 Skills