mirror of
https://github.com/OpenRouterTeam/spawn.git
synced 2026-05-06 08:10:48 +00:00
e8dc7b4752
8 scripts were embedding OPENROUTER_API_KEY directly into shell command
strings passed to run_server/run_in_codespace, allowing command injection
if the API key contains shell metacharacters (single quotes, semicolons,
backticks, etc.).
The worst case was latitude/continue.sh which had zero quoting:
export OPENROUTER_API_KEY=${OPENROUTER_API_KEY}
allowing arbitrary command execution on the remote server with a
crafted API key value.
Fixed by replacing unsafe inline patterns with the existing secure
helpers (inject_env_vars_ssh, inject_env_vars_local, inject_env_vars)
which use generate_env_config to properly single-quote values with
embedded quote escaping.
Affected scripts:
- scaleway/continue.sh (single-quote breakout)
- upcloud/continue.sh (double-quote breakout)
- e2b/continue.sh (single-quote breakout)
- modal/continue.sh (single-quote breakout)
- daytona/continue.sh (single-quote breakout)
- latitude/continue.sh (no quoting at all - critical)
- github-codespaces/continue.sh (single-quote breakout)
- kamatera/nanoclaw.sh (single-quote breakout in .env write)
Agent: security-auditor
Co-authored-by: A <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
|
||
|---|---|---|
| .. | ||
| lib | ||
| aider.sh | ||
| amazonq.sh | ||
| claude.sh | ||
| cline.sh | ||
| codex.sh | ||
| continue.sh | ||
| gemini.sh | ||
| goose.sh | ||
| gptme.sh | ||
| interpreter.sh | ||
| kilocode.sh | ||
| nanoclaw.sh | ||
| openclaw.sh | ||
| opencode.sh | ||
| plandex.sh | ||
| README.md | ||
Latitude.sh
Bare metal and VM cloud servers via REST API. Latitude.sh
Agents
Claude Code
bash <(curl -fsSL https://openrouter.ai/lab/spawn/latitude/claude.sh)
OpenClaw
bash <(curl -fsSL https://openrouter.ai/lab/spawn/latitude/openclaw.sh)
NanoClaw
bash <(curl -fsSL https://openrouter.ai/lab/spawn/latitude/nanoclaw.sh)
Aider
bash <(curl -fsSL https://openrouter.ai/lab/spawn/latitude/aider.sh)
Goose
bash <(curl -fsSL https://openrouter.ai/lab/spawn/latitude/goose.sh)
Codex CLI
bash <(curl -fsSL https://openrouter.ai/lab/spawn/latitude/codex.sh)
Open Interpreter
bash <(curl -fsSL https://openrouter.ai/lab/spawn/latitude/interpreter.sh)
Gemini CLI
bash <(curl -fsSL https://openrouter.ai/lab/spawn/latitude/gemini.sh)
Amazon Q CLI
bash <(curl -fsSL https://openrouter.ai/lab/spawn/latitude/amazonq.sh)
Cline
bash <(curl -fsSL https://openrouter.ai/lab/spawn/latitude/cline.sh)
gptme
bash <(curl -fsSL https://openrouter.ai/lab/spawn/latitude/gptme.sh)
OpenCode
bash <(curl -fsSL https://openrouter.ai/lab/spawn/latitude/opencode.sh)
Plandex
bash <(curl -fsSL https://openrouter.ai/lab/spawn/latitude/plandex.sh)
Non-Interactive Mode
LATITUDE_SERVER_NAME=dev-mk1 \
LATITUDE_API_KEY=your-api-key \
OPENROUTER_API_KEY=sk-or-v1-xxxxx \
bash <(curl -fsSL https://openrouter.ai/lab/spawn/latitude/claude.sh)
Environment Variables
| Variable | Description |
|---|---|
LATITUDE_API_KEY |
Latitude.sh API key (required) |
LATITUDE_SERVER_NAME |
Server hostname (prompted if not set) |
LATITUDE_PROJECT_ID |
Project ID (auto-detected from first project) |
LATITUDE_PLAN |
Server plan (default: vm.tiny) |
LATITUDE_SITE |
Data center site (default: DAL2) |
LATITUDE_OS |
Operating system (default: ubuntu_24_04_x64_lts) |
OPENROUTER_API_KEY |
OpenRouter API key for agent access |
Available Plans
| Plan | Specs | Price |
|---|---|---|
vm.tiny |
4 vCPUs, 8GB RAM | $0.07/hr |
vm.small |
8 vCPUs, 16GB RAM | $0.14/hr |
vm.medium |
12 vCPUs, 24GB RAM | $0.25/hr |
m4.metal.small |
AMD 4244P (6 cores), 64GB RAM | $0.37/hr |
Available Sites
US (Dallas, LAX, NYC, Chicago, Ashburn, Miami, Silicon Valley), Brazil, Australia, Chile, Japan, Mexico, UK, Germany, Argentina, Colombia, Singapore, Netherlands.
Get your API key at: https://www.latitude.sh/dashboard (Settings & Billing -> API Keys)