vrr/spawn
2
0
Fork 0
mirror of https://github.com/OpenRouterTeam/spawn.git synced 2026-04-28 03:49:31 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 10
spawn/sh/daytona
History
A 1097f055c3
fix(security): add --proto '=https' to all curl executable downloads (#2160) 
42 curl calls downloading JS bundles, CLI binaries, and gh CLI tarballs
were missing --proto '=https', allowing protocol downgrade attacks on
hostile networks. PR #2138 fixed bun installer calls; this closes the
remaining gap for executable downloads.

Fixes applied:
- sh/{sprite,aws,gcp,hetzner,daytona,local}/{claude,codex,openclaw,opencode,kilocode,hermes,zeroclaw}.sh (42 files)
- sh/cli/install.sh (cli.js download)
- sh/shared/github-auth.sh (keyring, API, tarball downloads)

Agent: security-auditor

Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-03 23:38:03 -05:00
..
claude.sh fix(security): add --proto '=https' to all curl executable downloads (#2160) 2026-03-03 23:38:03 -05:00
codex.sh fix(security): add --proto '=https' to all curl executable downloads (#2160) 2026-03-03 23:38:03 -05:00
hermes.sh fix(security): add --proto '=https' to all curl executable downloads (#2160) 2026-03-03 23:38:03 -05:00
kilocode.sh fix(security): add --proto '=https' to all curl executable downloads (#2160) 2026-03-03 23:38:03 -05:00
openclaw.sh fix(security): add --proto '=https' to all curl executable downloads (#2160) 2026-03-03 23:38:03 -05:00
opencode.sh fix(security): add --proto '=https' to all curl executable downloads (#2160) 2026-03-03 23:38:03 -05:00
README.md feat: add hermes agent to 4 clouds, bump install wait to 600s (#2084) 2026-03-01 19:31:50 -05:00
zeroclaw.sh fix(security): add --proto '=https' to all curl executable downloads (#2160) 2026-03-03 23:38:03 -05:00

README.md

Daytona

Daytona sandboxed environments for AI code execution. Daytona

Sub-90ms sandbox creation. True SSH support via daytona ssh. Requires DAYTONA_API_KEY from https://app.daytona.io.

Agents

Claude Code

bash <(curl -fsSL https://openrouter.ai/labs/spawn/daytona/claude.sh)

OpenClaw

bash <(curl -fsSL https://openrouter.ai/labs/spawn/daytona/openclaw.sh)

ZeroClaw

bash <(curl -fsSL https://openrouter.ai/labs/spawn/daytona/zeroclaw.sh)

Codex CLI

bash <(curl -fsSL https://openrouter.ai/labs/spawn/daytona/codex.sh)

OpenCode

bash <(curl -fsSL https://openrouter.ai/labs/spawn/daytona/opencode.sh)

Kilo Code

bash <(curl -fsSL https://openrouter.ai/labs/spawn/daytona/kilocode.sh)

Hermes

bash <(curl -fsSL https://openrouter.ai/labs/spawn/daytona/hermes.sh)

Non-Interactive Mode

DAYTONA_SANDBOX_NAME=dev-mk1 \
DAYTONA_API_KEY=your-api-key \
OPENROUTER_API_KEY=sk-or-v1-xxxxx \
  bash <(curl -fsSL https://openrouter.ai/labs/spawn/daytona/claude.sh)

Environment Variables

Variable Description Default
DAYTONA_API_KEY Daytona API key (prompted)
DAYTONA_SANDBOX_NAME Sandbox name (prompted)
DAYTONA_CLASS Sandbox class (e.g. small, medium, large) small
DAYTONA_CPU Number of vCPUs (overrides --class) (unset)
DAYTONA_MEMORY Memory in MB (overrides --class) (unset)
DAYTONA_DISK Disk size in GB (overrides --class) (unset)
OPENROUTER_API_KEY OpenRouter API key (OAuth or prompted)

Note: Daytona rejects explicit --cpu/--memory/--disk flags when using snapshots. Use DAYTONA_CLASS instead. If explicit resource flags fail due to snapshot conflict, spawn automatically retries with --class small.