mirror of
https://github.com/OpenRouterTeam/spawn.git
synced 2026-05-06 08:10:48 +00:00
376722e5fa
Security improvements to prevent injection attacks: 1. Added validateIdentifier() function: - Validates agent and cloud names against allowlist pattern - Prevents path traversal (../, /, \) - Prevents command injection via special characters - Enforces length limits (max 64 chars) - Only allows lowercase alphanumeric, hyphens, underscores 2. Added validateScriptContent() function: - Validates bash scripts before execution - Blocks dangerous patterns (rm -rf /, fork bombs, mkfs, dd) - Blocks nested curl|bash and wget|bash - Requires valid shebang 3. Applied validation to user inputs: - cmdRun: validates agent and cloud parameters - cmdAgentInfo: validates agent parameter - runBash: validates script content before exec 4. Added comprehensive security test suite SECURITY-CRITICAL: These changes prevent: - Path traversal attacks - Command injection via agent/cloud names - URL injection attacks - Execution of obviously malicious scripts Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> |
||
|---|---|---|
| .claude | ||
| .githooks | ||
| .github/workflows | ||
| aws-lightsail | ||
| cli | ||
| digitalocean | ||
| e2b | ||
| fly | ||
| gcp | ||
| hetzner | ||
| lambda | ||
| linode | ||
| modal | ||
| shared | ||
| sprite | ||
| test | ||
| vultr | ||
| .shellcheckrc | ||
| CLAUDE.md | ||
| improve.sh | ||
| manifest.json | ||
| README.md | ||
Spawn
Launch any agent on any cloud, powered by OpenRouter.
Install
curl -fsSL https://openrouter.ai/lab/spawn/cli/install.sh | bash
Usage
spawn # Interactive picker
spawn <agent> <cloud> # Launch directly
spawn list # Show the full matrix
Examples
spawn claude sprite # Claude Code on Sprite
spawn aider hetzner # Aider on Hetzner Cloud
spawn goose digitalocean # Goose on DigitalOcean
spawn codex vultr # Codex CLI on Vultr
Commands
| Command | Description |
|---|---|
spawn |
Interactive agent + cloud picker |
spawn <agent> <cloud> |
Launch agent on cloud directly |
spawn <agent> |
Show available clouds for an agent |
spawn list |
Full agent x cloud matrix |
spawn agents |
List all agents |
spawn clouds |
List all cloud providers |
Without the CLI
Every combination also works as a one-liner:
bash <(curl -fsSL https://openrouter.ai/lab/spawn/{cloud}/{agent}.sh)
Non-Interactive
Skip all prompts with environment variables:
OPENROUTER_API_KEY=sk-or-v1-xxxxx \
spawn claude sprite
Each cloud has its own env vars for auth — see the cloud's README.
Matrix
| Sprite | Hetzner | DigitalOcean | Vultr | Linode | Lambda | Lightsail | GCP | E2B | Modal | Fly.io | |
|---|---|---|---|---|---|---|---|---|---|---|---|
| Claude Code | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| OpenClaw | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| NanoClaw | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Aider | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Goose | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Codex CLI | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Interpreter | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Gemini CLI | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Amazon Q | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Cline | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| gptme | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
Development
git clone https://github.com/OpenRouterTeam/spawn.git
cd spawn
git config core.hooksPath .githooks