mirror of
https://github.com/OpenRouterTeam/spawn.git
synced 2026-05-06 08:10:48 +00:00
e8dc7b4752
8 scripts were embedding OPENROUTER_API_KEY directly into shell command
strings passed to run_server/run_in_codespace, allowing command injection
if the API key contains shell metacharacters (single quotes, semicolons,
backticks, etc.).
The worst case was latitude/continue.sh which had zero quoting:
export OPENROUTER_API_KEY=${OPENROUTER_API_KEY}
allowing arbitrary command execution on the remote server with a
crafted API key value.
Fixed by replacing unsafe inline patterns with the existing secure
helpers (inject_env_vars_ssh, inject_env_vars_local, inject_env_vars)
which use generate_env_config to properly single-quote values with
embedded quote escaping.
Affected scripts:
- scaleway/continue.sh (single-quote breakout)
- upcloud/continue.sh (double-quote breakout)
- e2b/continue.sh (single-quote breakout)
- modal/continue.sh (single-quote breakout)
- daytona/continue.sh (single-quote breakout)
- latitude/continue.sh (no quoting at all - critical)
- github-codespaces/continue.sh (single-quote breakout)
- kamatera/nanoclaw.sh (single-quote breakout in .env write)
Agent: security-auditor
Co-authored-by: A <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
|
||
|---|---|---|
| .. | ||
| lib | ||
| aider.sh | ||
| amazonq.sh | ||
| claude.sh | ||
| cline.sh | ||
| codex.sh | ||
| continue.sh | ||
| gemini.sh | ||
| goose.sh | ||
| gptme.sh | ||
| interpreter.sh | ||
| kilocode.sh | ||
| nanoclaw.sh | ||
| openclaw.sh | ||
| opencode.sh | ||
| plandex.sh | ||
| README.md | ||
UpCloud
UpCloud cloud servers via REST API. UpCloud
Agents
Claude Code
bash <(curl -fsSL https://openrouter.ai/lab/spawn/upcloud/claude.sh)
OpenClaw
bash <(curl -fsSL https://openrouter.ai/lab/spawn/upcloud/openclaw.sh)
NanoClaw
bash <(curl -fsSL https://openrouter.ai/lab/spawn/upcloud/nanoclaw.sh)
Aider
bash <(curl -fsSL https://openrouter.ai/lab/spawn/upcloud/aider.sh)
Goose
bash <(curl -fsSL https://openrouter.ai/lab/spawn/upcloud/goose.sh)
Codex CLI
bash <(curl -fsSL https://openrouter.ai/lab/spawn/upcloud/codex.sh)
Open Interpreter
bash <(curl -fsSL https://openrouter.ai/lab/spawn/upcloud/interpreter.sh)
Gemini CLI
bash <(curl -fsSL https://openrouter.ai/lab/spawn/upcloud/gemini.sh)
Amazon Q CLI
bash <(curl -fsSL https://openrouter.ai/lab/spawn/upcloud/amazonq.sh)
Cline
bash <(curl -fsSL https://openrouter.ai/lab/spawn/upcloud/cline.sh)
gptme
bash <(curl -fsSL https://openrouter.ai/lab/spawn/upcloud/gptme.sh)
OpenCode
bash <(curl -fsSL https://openrouter.ai/lab/spawn/upcloud/opencode.sh)
Plandex
bash <(curl -fsSL https://openrouter.ai/lab/spawn/upcloud/plandex.sh)
Non-Interactive Mode
UPCLOUD_SERVER_NAME=dev-mk1 \
UPCLOUD_USERNAME=your-api-username \
UPCLOUD_PASSWORD=your-api-password \
OPENROUTER_API_KEY=sk-or-v1-xxxxx \
bash <(curl -fsSL https://openrouter.ai/lab/spawn/upcloud/claude.sh)
Environment Variables
| Variable | Description | Default |
|---|---|---|
UPCLOUD_USERNAME |
UpCloud API username | (prompted) |
UPCLOUD_PASSWORD |
UpCloud API password | (prompted) |
UPCLOUD_SERVER_NAME |
Server name | (prompted) |
UPCLOUD_ZONE |
Datacenter zone | de-fra1 |
UPCLOUD_PLAN |
Server plan | 1xCPU-2GB |
OPENROUTER_API_KEY |
OpenRouter API key | (OAuth or prompted) |