mirror of
https://github.com/OpenRouterTeam/spawn.git
synced 2026-05-05 23:50:48 +00:00
35b4bd5ada
SECURITY FIXES: - Add validate_oauth_port() to prevent command injection via port parameter - Ensures port is numeric and in range 1024-65535 - Prevents JavaScript injection in OAuth server code - Add CSRF state parameter to OAuth flow - Generate random 128-bit state token per session - Validate state parameter in callback to prevent OAuth code interception - Display error page if state validation fails IMPACT: - Prevents CRITICAL command injection vulnerability (CVE-worthy) - Prevents HIGH OAuth code stealing attacks via CSRF TESTING: - All 101 tests pass (bun test) - Syntax validated (bash -n) - No regressions introduced Agent: security-auditor Co-authored-by: A <6723574+louisgv@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com> |
||
|---|---|---|
| .claude | ||
| .githooks | ||
| .github | ||
| aws-lightsail | ||
| binarylane | ||
| civo | ||
| cli | ||
| daytona | ||
| digitalocean | ||
| e2b | ||
| fly | ||
| gcp | ||
| genesiscloud | ||
| hetzner | ||
| lambda | ||
| linode | ||
| modal | ||
| railway | ||
| runpod | ||
| scaleway | ||
| shared | ||
| sprite | ||
| test | ||
| upcloud | ||
| vultr | ||
| .gitignore | ||
| .shellcheckrc | ||
| CLAUDE.md | ||
| LICENSE | ||
| manifest.json | ||
| README.md | ||
Spawn
Launch any AI coding agent on any cloud with a single command. All models powered by OpenRouter. (ALPHA software, use at your own risk!)
13 agents. 18 clouds. 234 combinations. Zero config.
Install
curl -fsSL https://openrouter.ai/lab/spawn/cli/install.sh | bash
Or install directly from GitHub:
curl -fsSL https://raw.githubusercontent.com/OpenRouterTeam/spawn/main/cli/install.sh | bash
Usage
spawn # Interactive picker
spawn <agent> <cloud> # Launch directly
spawn list # Show the full matrix
Examples
spawn # Interactive picker
spawn claude sprite # Claude Code on Sprite
spawn aider hetzner # Aider on Hetzner
spawn claude sprite --prompt "Fix bugs" # Non-interactive with prompt
spawn aider sprite -p "Add tests" # Short form
spawn claude # Show clouds available for Claude
Commands
| Command | Description |
|---|---|
spawn |
Interactive agent + cloud picker |
spawn <agent> <cloud> |
Launch agent on cloud directly |
spawn <agent> <cloud> -p "text" |
Non-interactive with prompt |
spawn <agent> <cloud> --prompt-file f.txt |
Prompt from file |
spawn <agent> |
Show available clouds for an agent |
spawn list |
Full agent x cloud matrix |
spawn agents |
List all agents |
spawn clouds |
List all cloud providers |
spawn update |
Check for CLI updates |
Without the CLI
Every combination works as a one-liner — no install required:
bash <(curl -fsSL https://openrouter.ai/lab/spawn/{cloud}/{agent}.sh)
Non-Interactive Mode
Skip prompts by providing environment variables:
# OpenRouter API key (required for all agents)
export OPENROUTER_API_KEY=sk-or-v1-xxxxx
# Cloud-specific credentials (varies by provider)
export SPRITE_API_KEY=... # For Sprite
export HCLOUD_TOKEN=... # For Hetzner
export DIGITALOCEAN_TOKEN=... # For DigitalOcean
# Run non-interactively
spawn claude sprite
You can also use inline environment variables:
OPENROUTER_API_KEY=sk-or-v1-xxxxx spawn claude sprite
Get your OpenRouter API key at: https://openrouter.ai/settings/keys
For cloud-specific auth, see each cloud's README in this repository.
Matrix
| Sprite | Hetzner | DigitalOcean | Vultr | Linode | Lambda | Lightsail | GCP | E2B | Modal | Fly.io | Civo | Scaleway | Daytona | RunPod | UpCloud | BinaryLane | Genesis Cloud | |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Claude Code | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| OpenClaw | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| NanoClaw | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Aider | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Goose | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Codex CLI | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Open Interpreter | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Gemini CLI | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Amazon Q CLI | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Cline | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| gptme | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| OpenCode | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Plandex | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
How it works
Each cell in the matrix is a self-contained bash script that:
- Provisions a server on the cloud provider
- Installs the coding agent
- Injects your OpenRouter API key so every agent uses the same billing
- Drops you into an interactive session
Scripts work standalone (bash <(curl ...)) or through the CLI.
Development
git clone https://github.com/OpenRouterTeam/spawn.git
cd spawn
git config core.hooksPath .githooks
Structure
{cloud}/lib/common.sh # Cloud provider primitives (provision, SSH, cleanup)
{cloud}/{agent}.sh # Agent deployment script
shared/common.sh # Shared utilities (OAuth, logging, SSH helpers)
cli/ # TypeScript CLI (bun)
manifest.json # Source of truth for the matrix
Adding a new cloud
- Create
{cloud}/lib/common.shwith provisioning primitives - Add to
manifest.json - Implement agent scripts using the cloud's primitives
- See CLAUDE.md for full contributor guide
Adding a new agent
- Add to
manifest.json - Implement on 1+ cloud by adapting an existing agent script
- Must support OpenRouter via env var injection