You can clone with
HTTPS or Subversion.
I think this is not bad idea to put 'Deny from all' htaccess file in tools directory for spark-manager to prevent opening tools directory or manager files in web-browser when authors use in their projects .. somehow less valuable :-??
Seems like a good idea to me - we could also go with CodeIgniter's "no direct script access" style.