vrr/spawn

mirror of https://github.com/OpenRouterTeam/spawn.git synced 2026-05-31 21:40:28 +00:00

mirror of https://github.com/OpenRouterTeam/spawn , link from https://openrouter.ai/spawn and https://discord.com/channels/1091220969173028894/1092729520181739581/1483604863098028273 https://openrouter.ai/spawn

claude cli codex openclaw vm

Find a file

Sprite 7162f9c236 refactor: secure temp files with chmod 600 before writing credentials Added chmod 600 to all temporary files that contain sensitive data (API keys, tokens, configs): - ENV_TEMP: 35 files (all agent scripts across 5 clouds) - OPENCLAW_CONFIG_TEMP: 5 files (already done in previous commit) - SETTINGS_TEMP: 5 files (Claude Code settings) - GLOBAL_STATE_TEMP: 5 files (Claude Code global state) - DOTENV_TEMP: 5 files (NanoClaw .env files) Total: 55 temp files secured This prevents race conditions where sensitive data could be read by other users between mktemp creation (mode 600 by default) and data being written. Security hardening for task #23. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>		2026-02-07 20:03:55 +00:00
digitalocean	refactor: secure temp files with chmod 600 before writing credentials	2026-02-07 20:03:55 +00:00
hetzner	refactor: secure temp files with chmod 600 before writing credentials	2026-02-07 20:03:55 +00:00
linode	refactor: secure temp files with chmod 600 before writing credentials	2026-02-07 20:03:55 +00:00
shared	refactor: Extract SSH key management helpers to reduce nesting	2026-02-07 20:03:43 +00:00
sprite	refactor: secure temp files with chmod 600 before writing credentials	2026-02-07 20:03:55 +00:00
test	Add NanoClaw spawn script (#2 )	2026-02-06 21:23:18 -08:00
vultr	refactor: secure temp files with chmod 600 before writing credentials	2026-02-07 20:03:55 +00:00
CLAUDE.md	Add continuous improvement workflow for spawn matrix (#5 )	2026-02-07 08:47:21 -08:00
improve.sh	Add continuous improvement workflow for spawn matrix (#5 )	2026-02-07 08:47:21 -08:00
manifest.json	Add Open Interpreter as seventh agent across all clouds (#13 )	2026-02-07 09:30:27 -08:00
README.md	refactor: secure temp files with chmod 600 before writing credentials	2026-02-07 20:03:55 +00:00

README.md

Spawn

Conjure your agents!

Features

🔐 Automatic OAuth - Seamless authentication with OpenRouter
🔄 Smart Fallback - Manual API key entry if OAuth fails
🚀 One Command Setup - Get running in minutes
🔧 Environment Ready - Pre-configured shell and dependencies

Usage

Claude Code

bash <(curl -fsSL https://openrouter.ai/lab/spawn/sprite/claude.sh)

OpenClaw

bash <(curl -fsSL https://openrouter.ai/lab/spawn/sprite/openclaw.sh)

NanoClaw

bash <(curl -fsSL https://openrouter.ai/lab/spawn/sprite/nanoclaw.sh)

Aider

bash <(curl -fsSL https://openrouter.ai/lab/spawn/sprite/aider.sh)

Goose

bash <(curl -fsSL https://openrouter.ai/lab/spawn/sprite/goose.sh)

Codex CLI

bash <(curl -fsSL https://openrouter.ai/lab/spawn/sprite/codex.sh)

Open Interpreter

bash <(curl -fsSL https://openrouter.ai/lab/spawn/sprite/interpreter.sh)

Non-Interactive Mode

For automation or CI/CD, set environment variables:

Claude Code

SPRITE_NAME=dev-mk1 \
OPENROUTER_API_KEY=sk-or-v1-xxxxx \
  bash <(curl -fsSL https://openrouter.ai/lab/spawn/sprite/claude.sh)

OpenClaw

SPRITE_NAME=dev-mk1 \
OPENROUTER_API_KEY=sk-or-v1-xxxxx \
  bash <(curl -fsSL https://openrouter.ai/lab/spawn/sprite/openclaw.sh)

NanoClaw

SPRITE_NAME=dev-mk1 \
OPENROUTER_API_KEY=sk-or-v1-xxxxx \
  bash <(curl -fsSL https://openrouter.ai/lab/spawn/sprite/nanoclaw.sh)

Environment Variables:

SPRITE_NAME - Name for the sprite (skips prompt)
OPENROUTER_API_KEY - Skip OAuth and use this API key directly

Hetzner Cloud

Spawn agents on Hetzner Cloud servers. No hcloud CLI needed — uses the Hetzner REST API directly.

Usage

Claude Code

bash <(curl -fsSL https://openrouter.ai/lab/spawn/hetzner/claude.sh)

OpenClaw

bash <(curl -fsSL https://openrouter.ai/lab/spawn/hetzner/openclaw.sh)

NanoClaw

bash <(curl -fsSL https://openrouter.ai/lab/spawn/hetzner/nanoclaw.sh)

Aider

bash <(curl -fsSL https://openrouter.ai/lab/spawn/hetzner/aider.sh)

Goose

bash <(curl -fsSL https://openrouter.ai/lab/spawn/hetzner/goose.sh)

Codex CLI

bash <(curl -fsSL https://openrouter.ai/lab/spawn/hetzner/codex.sh)

Open Interpreter

bash <(curl -fsSL https://openrouter.ai/lab/spawn/hetzner/interpreter.sh)

Non-Interactive Mode

HETZNER_SERVER_NAME=dev-mk1 \
HCLOUD_TOKEN=your-hetzner-api-token \
OPENROUTER_API_KEY=sk-or-v1-xxxxx \
  bash <(curl -fsSL https://openrouter.ai/lab/spawn/hetzner/claude.sh)

Environment Variables:

HETZNER_SERVER_NAME - Name for the server (skips prompt)
HCLOUD_TOKEN - Hetzner Cloud API token (skips prompt, saved to ~/.config/spawn/hetzner.json)
OPENROUTER_API_KEY - Skip OAuth and use this API key directly
HETZNER_SERVER_TYPE - Server type (default: cx22)
HETZNER_LOCATION - Datacenter location (default: fsn1)

DigitalOcean

Spawn agents on DigitalOcean Droplets via REST API.

Usage

Claude Code

bash <(curl -fsSL https://openrouter.ai/lab/spawn/digitalocean/claude.sh)

OpenClaw

bash <(curl -fsSL https://openrouter.ai/lab/spawn/digitalocean/openclaw.sh)

NanoClaw

bash <(curl -fsSL https://openrouter.ai/lab/spawn/digitalocean/nanoclaw.sh)

Aider

bash <(curl -fsSL https://openrouter.ai/lab/spawn/digitalocean/aider.sh)

Goose

bash <(curl -fsSL https://openrouter.ai/lab/spawn/digitalocean/goose.sh)

Codex CLI

bash <(curl -fsSL https://openrouter.ai/lab/spawn/digitalocean/codex.sh)

Open Interpreter

bash <(curl -fsSL https://openrouter.ai/lab/spawn/digitalocean/interpreter.sh)

Non-Interactive Mode

DO_DROPLET_NAME=dev-mk1 \
DO_API_TOKEN=your-digitalocean-api-token \
OPENROUTER_API_KEY=sk-or-v1-xxxxx \
  bash <(curl -fsSL https://openrouter.ai/lab/spawn/digitalocean/claude.sh)

Environment Variables:

DO_DROPLET_NAME - Name for the droplet (skips prompt)
DO_API_TOKEN - DigitalOcean API token (skips prompt, saved to ~/.config/spawn/digitalocean.json)
OPENROUTER_API_KEY - Skip OAuth and use this API key directly
DO_DROPLET_SIZE - Droplet size (default: s-2vcpu-2gb)
DO_REGION - Datacenter region (default: nyc3)

Vultr

Spawn agents on Vultr Cloud Compute instances via REST API.

Usage

Claude Code

bash <(curl -fsSL https://openrouter.ai/lab/spawn/vultr/claude.sh)

OpenClaw

bash <(curl -fsSL https://openrouter.ai/lab/spawn/vultr/openclaw.sh)

NanoClaw

bash <(curl -fsSL https://openrouter.ai/lab/spawn/vultr/nanoclaw.sh)

Aider

bash <(curl -fsSL https://openrouter.ai/lab/spawn/vultr/aider.sh)

Goose

bash <(curl -fsSL https://openrouter.ai/lab/spawn/vultr/goose.sh)

Codex CLI

bash <(curl -fsSL https://openrouter.ai/lab/spawn/vultr/codex.sh)

Open Interpreter

bash <(curl -fsSL https://openrouter.ai/lab/spawn/vultr/interpreter.sh)

Non-Interactive Mode

VULTR_SERVER_NAME=dev-mk1 \
VULTR_API_KEY=your-vultr-api-key \
OPENROUTER_API_KEY=sk-or-v1-xxxxx \
  bash <(curl -fsSL https://openrouter.ai/lab/spawn/vultr/claude.sh)

Environment Variables:

VULTR_SERVER_NAME - Name for the instance (skips prompt)
VULTR_API_KEY - Vultr API key (skips prompt, saved to ~/.config/spawn/vultr.json)
OPENROUTER_API_KEY - Skip OAuth and use this API key directly
VULTR_PLAN - Instance plan (default: vc2-1c-2gb)
VULTR_REGION - Datacenter region (default: ewr)

Linode (Akamai)

Spawn agents on Linode instances via REST API.

Usage

Claude Code

bash <(curl -fsSL https://openrouter.ai/lab/spawn/linode/claude.sh)

OpenClaw

bash <(curl -fsSL https://openrouter.ai/lab/spawn/linode/openclaw.sh)

NanoClaw

bash <(curl -fsSL https://openrouter.ai/lab/spawn/linode/nanoclaw.sh)

Aider

bash <(curl -fsSL https://openrouter.ai/lab/spawn/linode/aider.sh)

Goose

bash <(curl -fsSL https://openrouter.ai/lab/spawn/linode/goose.sh)

Codex CLI

bash <(curl -fsSL https://openrouter.ai/lab/spawn/linode/codex.sh)

Open Interpreter

bash <(curl -fsSL https://openrouter.ai/lab/spawn/linode/interpreter.sh)

Non-Interactive Mode

LINODE_SERVER_NAME=dev-mk1 \
LINODE_API_TOKEN=your-linode-api-token \
OPENROUTER_API_KEY=sk-or-v1-xxxxx \
  bash <(curl -fsSL https://openrouter.ai/lab/spawn/linode/claude.sh)

Environment Variables:

LINODE_SERVER_NAME - Label for the Linode (skips prompt)
LINODE_API_TOKEN - Linode API token (skips prompt, saved to ~/.config/spawn/linode.json)
OPENROUTER_API_KEY - Skip OAuth and use this API key directly
LINODE_TYPE - Instance type (default: g6-standard-1)
LINODE_REGION - Datacenter region (default: us-east)

Security

API Token Storage

Spawn stores cloud provider API tokens and OpenRouter API keys locally in JSON files at ~/.config/spawn/:

hetzner.json - Hetzner Cloud API token
digitalocean.json - DigitalOcean API token
vultr.json - Vultr API key
linode.json - Linode API token
OpenRouter API keys stored in shell config files (~/.bashrc, ~/.zshrc)

Security Posture:

All token files are created with chmod 600 (user read/write only)
Tokens are stored in plaintext - not encrypted at rest
Security relies on filesystem permissions and OS user isolation

Recommendations:

Protect your user account - Use strong passwords, disk encryption, and secure your SSH keys
Use dedicated API tokens - Create tokens specifically for Spawn with minimal required permissions
Rotate tokens regularly - Revoke and regenerate API tokens periodically
Multi-user systems - On shared machines, be aware that root users can read these files
Backup security - Ensure backups of ~/.config/ are encrypted

Why plaintext?

Simplicity and compatibility across all Unix-like systems
File permissions (600) provide adequate protection for single-user machines
Encryption at rest would require key management, adding complexity without significant security benefit for typical use cases
Cloud providers recommend similar approaches for CLI tools (AWS CLI, gcloud, etc.)

Alternative approaches:

For higher security requirements, consider using environment variables instead of saved tokens
Pass OPENROUTER_API_KEY, HCLOUD_TOKEN, etc. as environment variables on each run
Use OS credential stores (Keychain on macOS, Secret Service on Linux) - requires additional dependencies