mirror of
https://github.com/OpenRouterTeam/spawn.git
synced 2026-04-28 11:59:29 +00:00
e8dc7b4752
8 scripts were embedding OPENROUTER_API_KEY directly into shell command
strings passed to run_server/run_in_codespace, allowing command injection
if the API key contains shell metacharacters (single quotes, semicolons,
backticks, etc.).
The worst case was latitude/continue.sh which had zero quoting:
export OPENROUTER_API_KEY=${OPENROUTER_API_KEY}
allowing arbitrary command execution on the remote server with a
crafted API key value.
Fixed by replacing unsafe inline patterns with the existing secure
helpers (inject_env_vars_ssh, inject_env_vars_local, inject_env_vars)
which use generate_env_config to properly single-quote values with
embedded quote escaping.
Affected scripts:
- scaleway/continue.sh (single-quote breakout)
- upcloud/continue.sh (double-quote breakout)
- e2b/continue.sh (single-quote breakout)
- modal/continue.sh (single-quote breakout)
- daytona/continue.sh (single-quote breakout)
- latitude/continue.sh (no quoting at all - critical)
- github-codespaces/continue.sh (single-quote breakout)
- kamatera/nanoclaw.sh (single-quote breakout in .env write)
Agent: security-auditor
Co-authored-by: A <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
|
||
|---|---|---|
| .. | ||
| lib | ||
| aider.sh | ||
| amazonq.sh | ||
| claude.sh | ||
| cline.sh | ||
| codex.sh | ||
| continue.sh | ||
| gemini.sh | ||
| goose.sh | ||
| gptme.sh | ||
| interpreter.sh | ||
| kilocode.sh | ||
| nanoclaw.sh | ||
| openclaw.sh | ||
| opencode.sh | ||
| plandex.sh | ||
| README.md | ||
GitHub Codespaces
GitHub Codespaces development environments via gh CLI. GitHub Codespaces
Agents
Claude Code
bash <(curl -fsSL https://openrouter.ai/lab/spawn/github-codespaces/claude.sh)
Aider
bash <(curl -fsSL https://openrouter.ai/lab/spawn/github-codespaces/aider.sh)
gptme
bash <(curl -fsSL https://openrouter.ai/lab/spawn/github-codespaces/gptme.sh)
Non-Interactive Mode
GITHUB_REPO=OpenRouterTeam/spawn \
OPENROUTER_API_KEY=sk-or-v1-xxxxx \
bash <(curl -fsSL https://openrouter.ai/lab/spawn/github-codespaces/claude.sh)
Environment Variables
| Variable | Description | Default |
|---|---|---|
GITHUB_REPO |
Repository for codespace | OpenRouterTeam/spawn |
CODESPACE_MACHINE |
Machine type | basicLinux32gb |
CODESPACE_IDLE_TIMEOUT |
Idle timeout | 30m |
OPENROUTER_API_KEY |
OpenRouter API key | (OAuth or prompted) |
Pricing
GitHub Codespaces uses pay-as-you-go pricing:
- Compute: Starting at $0.18/hr for basicLinux32gb (2 core, 4GB RAM)
- Storage: $0.07/GB per month
- Free tier: Available for personal accounts (limited hours/month)
See GitHub Codespaces pricing for details.
Prerequisites
- GitHub CLI (
gh) installed and authenticated - Active GitHub account
- Repository access (default: OpenRouterTeam/spawn)
Machine Types
| Machine | Cores | RAM | Price/hr |
|---|---|---|---|
| basicLinux32gb | 2 | 4GB | $0.18 |
| standardLinux32gb | 4 | 8GB | $0.36 |
| premiumLinux | 8 | 16GB | $0.72 |
| largePremiumLinux | 16 | 32GB | $1.44 |
Set via CODESPACE_MACHINE environment variable.