24c705cd27
* fix: validate env-loaded tokens to prevent curl config injection _load_token_from_env() performed zero validation on API token values from environment variables before they reached _curl_api(), which passes auth headers via curl's -K stdin config. A token containing a double-quote could break out of the config's quoted string and inject additional curl directives (e.g., redirecting the request to an attacker-controlled server). _load_token_from_config() already validates with the same regex (^[a-zA-Z0-9._/@:+=, -]+$). This adds the same check to the env path, closing the defense-in-depth gap across all token-loading paths. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * feat: pre-built Docker image for OpenClaw on Fly.io (#1686) Eliminates the slow waitForCloudInit() + bun install phase by booting a pre-built image with Node.js, bun, and openclaw already installed. The image is rebuilt daily via GitHub Actions to pick up new releases. Other agents are unaffected — they still use ubuntu:24.04 + cloud-init. Co-authored-by: spawn-bot <spawn-bot@openrouter.ai> Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> * fix: use positional params in macOS curl path to prevent command injection (#1685) **Why:** The macOS fallback in `request_missing_cloud_keys()` used `${providers_json}` directly in a curl `-d` argument. If `providers_json` contained shell metacharacters (e.g., from a failed python3 call), this could execute arbitrary commands. The Linux path already used the safe positional parameter pattern (`bash -c '...' -- "$1" "$2" "$3"`). Unifies both code paths to use the safe positional parameter pattern. Fixes #1684 Agent: team-lead Co-authored-by: B <6723574+louisgv@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com> * fix: update test to expect rejection of tokens with newlines The _load_token_from_env validation now rejects tokens containing newline characters to prevent curl config injection. Update the test to expect exit code 1 and verify the warning message is emitted. Agent: pr-maintainer Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> --------- Co-authored-by: B <6723574+louisgv@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> Co-authored-by: spawn-bot <spawn-bot@openrouter.ai> |
||
|---|---|---|
| .claude | ||
| .githooks | ||
| .github | ||
| assets | ||
| aws | ||
| cli | ||
| daytona | ||
| digitalocean | ||
| fly | ||
| gcp | ||
| hetzner | ||
| local | ||
| shared | ||
| sprite | ||
| test | ||
| .gitignore | ||
| .shellcheckrc | ||
| CLAUDE.md | ||
| LICENSE | ||
| manifest.json | ||
| README.md | ||
Spawn
Launch any AI agent on any cloud with a single command. Coding agents, research agents, self-hosted AI tools — Spawn deploys them all. All models powered by OpenRouter. (ALPHA software, use at your own risk!)
6 agents. 8 clouds. 48 working combinations. Zero config.
Install
macOS / Linux — and Windows users inside a WSL2 terminal (Ubuntu, Debian, etc.):
curl -fsSL https://openrouter.ai/labs/spawn/cli/install.sh | bash
Windows PowerShell (outside WSL):
irm https://raw.githubusercontent.com/OpenRouterTeam/spawn/main/cli/install.ps1 | iex
Usage
spawn # Interactive picker
spawn <agent> <cloud> # Launch directly
spawn matrix # Show the full agent x cloud matrix
Examples
spawn # Interactive picker
spawn claude sprite # Claude Code on Sprite
spawn codex hetzner # Codex CLI on Hetzner
spawn claude sprite --prompt "Fix bugs" # Non-interactive with prompt
spawn codex sprite -p "Add tests" # Short form
spawn claude # Show clouds available for Claude
spawn delete # Delete a running server
spawn delete -c hetzner # Delete a server on Hetzner
Commands
| Command | Description |
|---|---|
spawn |
Interactive agent + cloud picker |
spawn <agent> <cloud> |
Launch agent on cloud directly |
spawn <agent> <cloud> --dry-run |
Preview without provisioning |
spawn <agent> <cloud> -p "text" |
Non-interactive with prompt |
spawn <agent> <cloud> --prompt-file f.txt |
Prompt from file |
spawn <agent> <cloud> --debug |
Show all commands being executed |
spawn <agent> |
Show available clouds for an agent |
spawn <cloud> |
Show available agents for a cloud |
spawn matrix |
Full agent x cloud matrix |
spawn list |
Browse and rerun previous spawns |
spawn list <filter> |
Filter history by agent or cloud name |
spawn list -a <agent> |
Filter history by agent |
spawn list -c <cloud> |
Filter history by cloud |
spawn list --clear |
Clear all spawn history |
spawn last |
Instantly rerun the most recent spawn |
spawn agents |
List all agents with descriptions |
spawn clouds |
List all cloud providers |
spawn update |
Check for CLI updates |
spawn delete |
Interactively select and destroy a cloud server |
spawn delete -a <agent> |
Filter servers to delete by agent |
spawn delete -c <cloud> |
Filter servers to delete by cloud |
spawn help |
Show help message |
spawn version |
Show version |
Without the CLI
Every combination works as a one-liner — no install required:
bash <(curl -fsSL https://openrouter.ai/labs/spawn/{cloud}/{agent}.sh)
Non-Interactive Mode
Skip prompts by providing environment variables:
# OpenRouter API key (required for all agents)
export OPENROUTER_API_KEY=sk-or-v1-xxxxx
# Cloud-specific credentials (varies by provider)
# Note: Sprite uses `sprite login` for authentication
export HCLOUD_TOKEN=... # For Hetzner
export DO_API_TOKEN=... # For DigitalOcean
# Run non-interactively
spawn claude hetzner
You can also use inline environment variables:
OPENROUTER_API_KEY=sk-or-v1-xxxxx spawn claude sprite
Get your OpenRouter API key at: https://openrouter.ai/settings/keys
For cloud-specific auth, see each cloud's README in this repository.
Troubleshooting
Installation issues
If spawn fails to install, try these steps:
-
Check bun version: spawn requires bun >= 1.2.0
bun --version bun upgrade # if needed -
Manual installation: If auto-install fails, install bun first
curl -fsSL https://bun.sh/install | bash source ~/.bashrc # or ~/.zshrc for zsh curl -fsSL https://raw.githubusercontent.com/OpenRouterTeam/spawn/main/cli/install.sh | bash -
PATH issues: If
spawncommand not found after install# Add to your shell config (~/.bashrc or ~/.zshrc) export PATH="$HOME/.local/bin:$PATH"
Agent launch failures
If an agent fails to install or launch on a cloud:
-
Check credentials: Ensure cloud provider credentials are set
# Example for Hetzner export HCLOUD_TOKEN=your-token-here spawn claude hetzner -
Try a different cloud: Some clouds may have temporary issues
spawn <agent> # Interactive picker to choose another cloud -
Use --dry-run: Preview what spawn will do before provisioning
spawn claude hetzner --dry-run -
Check cloud status: Visit your cloud provider's status page
- Many failures are transient (network timeouts, package mirror issues)
- Retrying often succeeds
Getting help
- View command history:
spawn listshows all previous launches - Rerun last session:
spawn lastorspawn rerun - Check version:
spawn versionshows CLI version and cache status - Update spawn:
spawn updatechecks for the latest version - Report bugs: Open an issue at https://github.com/OpenRouterTeam/spawn/issues
Matrix
| Local Machine | Hetzner Cloud | Fly.io | AWS Lightsail | Daytona | DigitalOcean | GCP Compute Engine | Sprite | |
|---|---|---|---|---|---|---|---|---|
| Claude Code | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| OpenClaw | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| ZeroClaw | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Codex CLI | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| OpenCode | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Kilo Code | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
How it works
Each cell in the matrix is a self-contained bash script that:
- Provisions a server on the cloud provider
- Installs the agent
- Injects your OpenRouter API key so every agent uses the same billing
- Drops you into an interactive session
Scripts work standalone (bash <(curl ...)) or through the CLI.
Development
git clone https://github.com/OpenRouterTeam/spawn.git
cd spawn
git config core.hooksPath .githooks
Structure
{cloud}/lib/common.sh # Cloud provider primitives (provision, SSH, cleanup)
{cloud}/{agent}.sh # Agent deployment script
shared/common.sh # Shared utilities (OAuth, logging, SSH helpers)
cli/ # TypeScript CLI (bun)
manifest.json # Source of truth for the matrix
Adding a new cloud
- Create
{cloud}/lib/common.shwith provisioning primitives - Add to
manifest.json - Implement agent scripts using the cloud's primitives
- See CLAUDE.md for full contributor guide
Adding a new agent
- Add to
manifest.json - Implement on 1+ cloud by adapting an existing agent script
- Must support OpenRouter via env var injection
Contributing
The easiest way to contribute is by testing and reporting issues. You don't need to write code.
Test a cloud provider
Pick any agent + cloud combination from the matrix and try it out:
spawn claude hetzner # or any combination
If something breaks, hangs, or behaves unexpectedly, open an issue using the bug report template. Include:
- The exact command you ran
- The cloud provider and agent
- What happened vs. what you expected
- Any error output
Request a cloud or agent
Want to see a specific cloud provider or agent supported? Use the dedicated templates:
Requests with real-world use cases get prioritized.
Report auth or credential issues
Cloud provider APIs change frequently. If you hit authentication failures, expired tokens, or permission errors on a provider that previously worked, please report it — these are high-priority fixes.
Code contributions
See CLAUDE.md for the full contributor guide covering shell script rules, testing, and the shared library pattern.