vrr/spawn
2
0
Fork 0
mirror of https://github.com/OpenRouterTeam/spawn.git synced 2026-04-28 03:49:31 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 10
spawn/sh/sprite
History
A cfa1ae7a08
fix(security): add --proto '=https' to all curl bun installer calls (#2138) 
* fix(security): add --proto '=https' to all curl bun installer calls

Fixes #2134

All _ensure_bun() functions across aws, hetzner, gcp, local, daytona,
and sprite scripts now enforce HTTPS-only downloads via --proto '=https'.
This prevents MITM attacks during bun installation on remote VMs.
DigitalOcean scripts were already correct and are not changed.

Agent: security-auditor
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix(security): add --proto '=https' to bun installer in TS files

Address security reviewer feedback: the same MITM vulnerability
existed in 5 TypeScript programmatic provisioning files.

Agent: pr-maintainer
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix(security): quote --proto '=https' in su -c curl calls

The aws.ts and gcp.ts files had --proto =https without quotes inside
su -c '...' blocks. Uses double quotes ("=https") to properly nest
inside the single-quoted su -c argument while maintaining protocol
restriction.

Agent: security-auditor
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

---------

Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-03 11:52:54 -08:00
..
.claude/rules refactor: move all shell scripts to /sh directory (#1843) 2026-02-23 21:14:54 -08:00
claude.sh fix(security): add --proto '=https' to all curl bun installer calls (#2138) 2026-03-03 11:52:54 -08:00
codex.sh fix(security): add --proto '=https' to all curl bun installer calls (#2138) 2026-03-03 11:52:54 -08:00
hermes.sh fix(security): add --proto '=https' to all curl bun installer calls (#2138) 2026-03-03 11:52:54 -08:00
kilocode.sh fix(security): add --proto '=https' to all curl bun installer calls (#2138) 2026-03-03 11:52:54 -08:00
openclaw.sh fix(security): add --proto '=https' to all curl bun installer calls (#2138) 2026-03-03 11:52:54 -08:00
opencode.sh fix(security): add --proto '=https' to all curl bun installer calls (#2138) 2026-03-03 11:52:54 -08:00
README.md refactor: move all shell scripts to /sh directory (#1843) 2026-02-23 21:14:54 -08:00
zeroclaw.sh fix(security): add --proto '=https' to all curl bun installer calls (#2138) 2026-03-03 11:52:54 -08:00

README.md

Sprite

Sprites.dev managed VMs with CLI. Sprite

Agents

Claude Code

bash <(curl -fsSL https://openrouter.ai/labs/spawn/sprite/claude.sh)

OpenClaw

bash <(curl -fsSL https://openrouter.ai/labs/spawn/sprite/openclaw.sh)

ZeroClaw

bash <(curl -fsSL https://openrouter.ai/labs/spawn/sprite/zeroclaw.sh)

Codex CLI

bash <(curl -fsSL https://openrouter.ai/labs/spawn/sprite/codex.sh)

OpenCode

bash <(curl -fsSL https://openrouter.ai/labs/spawn/sprite/opencode.sh)

Kilo Code

bash <(curl -fsSL https://openrouter.ai/labs/spawn/sprite/kilocode.sh)

Non-Interactive Mode

SPRITE_NAME=dev-mk1 \
OPENROUTER_API_KEY=sk-or-v1-xxxxx \
  bash <(curl -fsSL https://openrouter.ai/labs/spawn/sprite/claude.sh)