Docker Claude Code Setup
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The setup guide is coherent, but it encourages a writable web terminal and very broad Claude Code permissions without enough access-control guidance.
Install only in an isolated Docker container or trusted environment. Do not expose ttyd to the public internet without authentication and network restrictions, narrow Claude Code permissions before using real projects, avoid sensitive host mounts, and protect API keys.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the port is exposed, someone who can reach the web terminal could run commands inside the container.
The guide enables write access to a web terminal and documents external access, but does not configure ttyd authentication, bind-only-localhost behavior, or other access controls.
ttyd -p 6080 -W tmux new -A -s main ... -W: 允许写入 ... 外网: http://YOUR_IP:6080
Bind ttyd to localhost or a private interface, add strong authentication, restrict firewall/port publishing, and avoid using it with sensitive host mounts.
Claude Code could read or modify many files and run shell commands in the container, including mounted host directories if present.
The recommended Claude Code permission configuration grants broad read, edit, write, and shell-command authority without narrowing it to a specific project or command set.
"allow": [ "Read(**)", "Edit(**)", "Write(**)", "Bash(**)" ]
Use the narrowest possible permissions, limit access to a disposable project workspace, require confirmation for risky actions, and keep backups before enabling broad write or Bash access.
The terminal session can continue running after the browser is closed, which is useful but can leave active commands or shells behind.
The script intentionally starts a long-running background web terminal attached to a persistent tmux session.
nohup ttyd -p $PORT -W bash -c "export LANG=zh_CN.UTF-8; cd $WORKSPACE && tmux new -A -s main" > /tmp/ttyd.log 2>&1 &
Know how to stop the service and tmux session, and avoid exposing persistent terminals to untrusted networks.
Installation executes code from external package sources with the user's/container's privileges.
The setup uses a remote shell installer and global npm installation; this is common for setup scripts but is not pinned or checksum-verified.
curl -fsSL https://deb.nodesource.com/setup_20.x | bash - apt-get install -y nodejs ... npm install -g @anthropic-ai/acpx
Run this only in a trusted, disposable container; verify package sources; and pin versions or use checksums where practical.
API keys placed in environment variables, .env files, or acpx config can be abused if the container, workspace, or repository is exposed.
The skill asks users to configure provider API keys, which is expected for Claude Code but should be treated as sensitive credential handling.
export ANTHROPIC_API_KEY="your-api-key" ... ANTHROPIC_BASE_URL=https://api.example.com/v1 ... 在项目目录创建 `.env`
Do not commit API keys, restrict file permissions, use least-privilege keys where available, and rotate keys if they may have been exposed.
Task text or code context may be processed by whichever agent/provider the user selects.
The acpx workflow can route coding tasks to different agents/providers; this is disclosed and purpose-aligned, but users should understand where their prompts and code may go.
acpx 是 Anthropic 提供的 ACP ... 可以在多个 AI 编码代理之间切换:Claude Code, OpenAI Codex, Gemini CLI, Cursor
Use only approved providers for sensitive code, avoid sending secrets in prompts, and configure each agent with the intended credentials and data boundaries.