mirror of
https://github.com/OpenRouterTeam/spawn.git
synced 2026-05-05 23:50:48 +00:00
a0f6b335a4
Replace fragile blocklist validation and printf '%q' escaping in upload_file() with strict allowlist regex [a-zA-Z0-9/_.~-]+ across all non-SSH cloud providers. For codesandbox, additionally migrate from shell command interpolation to SDK filesystem API via environment variables, eliminating the injection surface entirely. Affected clouds: codesandbox, daytona, e2b, fly, koyeb, modal, northflank, railway, render, sprite Fixes #989 Agent: security-auditor Co-authored-by: A <6723574+louisgv@users.noreply.github.com> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> |
||
|---|---|---|
| .claude | ||
| .githooks | ||
| .github | ||
| atlanticnet | ||
| aws-lightsail | ||
| binarylane | ||
| cherry | ||
| civo | ||
| cli | ||
| cloudsigma | ||
| codesandbox | ||
| contabo | ||
| daytona | ||
| digitalocean | ||
| e2b | ||
| exoscale | ||
| fly | ||
| gcp | ||
| genesiscloud | ||
| github-codespaces | ||
| hetzner | ||
| hostinger | ||
| hostkey | ||
| hyperstack | ||
| ionos | ||
| kamatera | ||
| koyeb | ||
| latitude | ||
| linode | ||
| local | ||
| modal | ||
| netcup | ||
| northflank | ||
| oracle | ||
| ovh | ||
| railway | ||
| ramnode | ||
| render | ||
| scaleway | ||
| shared | ||
| sprite | ||
| test | ||
| upcloud | ||
| vultr | ||
| .gitignore | ||
| .shellcheckrc | ||
| CLAUDE.md | ||
| LICENSE | ||
| manifest.json | ||
| README.md | ||
Spawn
Launch any AI agent on any cloud with a single command. Coding agents, research agents, self-hosted AI tools — Spawn deploys them all. All models powered by OpenRouter. (ALPHA software, use at your own risk!)
15 agents. 36 clouds. 514 combinations. Zero config.
Install
curl -fsSL https://openrouter.ai/labs/spawn/cli/install.sh | bash
Or install directly from GitHub:
curl -fsSL https://raw.githubusercontent.com/OpenRouterTeam/spawn/main/cli/install.sh | bash
Usage
spawn # Interactive picker
spawn <agent> <cloud> # Launch directly
spawn matrix # Show the full agent x cloud matrix
Examples
spawn # Interactive picker
spawn claude sprite # Claude Code on Sprite
spawn aider hetzner # Aider on Hetzner
spawn claude sprite --prompt "Fix bugs" # Non-interactive with prompt
spawn aider sprite -p "Add tests" # Short form
spawn claude # Show clouds available for Claude
Commands
| Command | Description |
|---|---|
spawn |
Interactive agent + cloud picker |
spawn <agent> <cloud> |
Launch agent on cloud directly |
spawn <agent> <cloud> --dry-run |
Preview without provisioning |
spawn <agent> <cloud> -p "text" |
Non-interactive with prompt |
spawn <agent> <cloud> --prompt-file f.txt |
Prompt from file |
spawn <agent> |
Show available clouds for an agent |
spawn matrix |
Full agent x cloud matrix |
spawn list |
Show previously launched spawns |
spawn agents |
List all agents |
spawn clouds |
List all cloud providers |
spawn update |
Check for CLI updates |
Without the CLI
Every combination works as a one-liner — no install required:
bash <(curl -fsSL https://openrouter.ai/labs/spawn/{cloud}/{agent}.sh)
Non-Interactive Mode
Skip prompts by providing environment variables:
# OpenRouter API key (required for all agents)
export OPENROUTER_API_KEY=sk-or-v1-xxxxx
# Cloud-specific credentials (varies by provider)
export SPRITE_API_KEY=... # For Sprite
export HCLOUD_TOKEN=... # For Hetzner
export DO_API_TOKEN=... # For DigitalOcean
# Run non-interactively
spawn claude sprite
You can also use inline environment variables:
OPENROUTER_API_KEY=sk-or-v1-xxxxx spawn claude sprite
Get your OpenRouter API key at: https://openrouter.ai/settings/keys
For cloud-specific auth, see each cloud's README in this repository.
Matrix
| Sprite | Hetzner Cloud | DigitalOcean | Vultr | Linode (Akamai) | AWS Lightsail | GCP Compute Engine | GitHub Codespaces | CodeSandbox | E2B | Modal | Fly.io | Civo | Scaleway | Daytona | UpCloud | BinaryLane | Latitude.sh | OVHcloud | Kamatera | Cherry Servers | Oracle Cloud Infrastructure | Koyeb | Northflank | Railway | Render | IONOS Cloud | Exoscale | Contabo | Hostinger | Netcup | Local Machine | RamNode | Atlantic.Net | HOSTKEY | CloudSigma | |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Claude Code | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| OpenClaw | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |
| NanoClaw | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ||
| Aider | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |
| Goose | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ||
| Codex CLI | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ||
| Open Interpreter | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ||
| Gemini CLI | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ||
| Amazon Q CLI | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ||
| Cline | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ||
| gptme | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ||
| OpenCode | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ||
| Plandex | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ||
| Kilo Code | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ||
| Continue | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
How it works
Each cell in the matrix is a self-contained bash script that:
- Provisions a server on the cloud provider
- Installs the agent
- Injects your OpenRouter API key so every agent uses the same billing
- Drops you into an interactive session
Scripts work standalone (bash <(curl ...)) or through the CLI.
Development
git clone https://github.com/OpenRouterTeam/spawn.git
cd spawn
git config core.hooksPath .githooks
Structure
{cloud}/lib/common.sh # Cloud provider primitives (provision, SSH, cleanup)
{cloud}/{agent}.sh # Agent deployment script
shared/common.sh # Shared utilities (OAuth, logging, SSH helpers)
cli/ # TypeScript CLI (bun)
manifest.json # Source of truth for the matrix
Adding a new cloud
- Create
{cloud}/lib/common.shwith provisioning primitives - Add to
manifest.json - Implement agent scripts using the cloud's primitives
- See CLAUDE.md for full contributor guide
Adding a new agent
- Add to
manifest.json - Implement on 1+ cloud by adapting an existing agent script
- Must support OpenRouter via env var injection
Contributing
The easiest way to contribute is by testing and reporting issues. You don't need to write code.
Test a cloud provider
Pick any agent + cloud combination from the matrix and try it out:
spawn claude hetzner # or any combination
If something breaks, hangs, or behaves unexpectedly, open an issue using the bug report template. Include:
- The exact command you ran
- The cloud provider and agent
- What happened vs. what you expected
- Any error output
Request a cloud or agent
Want to see a specific cloud provider or agent supported? Use the dedicated templates:
Requests with real-world use cases get prioritized.
Report auth or credential issues
Cloud provider APIs change frequently. If you hit authentication failures, expired tokens, or permission errors on a provider that previously worked, please report it — these are high-priority fixes.
Code contributions
See CLAUDE.md for the full contributor guide covering shell script rules, testing, and the shared library pattern.