diff --git a/digitalocean/openclaw.sh b/digitalocean/openclaw.sh
index 69cef79f..7df509b9 100755
--- a/digitalocean/openclaw.sh
+++ b/digitalocean/openclaw.sh
@@ -70,6 +70,7 @@ run_server "$DO_SERVER_IP" "rm -rf ~/.openclaw && mkdir -p ~/.openclaw"
 GATEWAY_TOKEN=$(openssl rand -hex 16)
 
 OPENCLAW_CONFIG_TEMP=$(mktemp)
+chmod 600 "$OPENCLAW_CONFIG_TEMP"
 cat > "$OPENCLAW_CONFIG_TEMP" << EOF
 {
   "env": {
diff --git a/hetzner/openclaw.sh b/hetzner/openclaw.sh
index 0749443b..7b7d0027 100755
--- a/hetzner/openclaw.sh
+++ b/hetzner/openclaw.sh
@@ -71,6 +71,7 @@ run_server "$HETZNER_SERVER_IP" "rm -rf ~/.openclaw && mkdir -p ~/.openclaw"
 GATEWAY_TOKEN=$(openssl rand -hex 16)
 
 OPENCLAW_CONFIG_TEMP=$(mktemp)
+chmod 600 "$OPENCLAW_CONFIG_TEMP"
 cat > "$OPENCLAW_CONFIG_TEMP" << EOF
 {
   "env": {
diff --git a/linode/openclaw.sh b/linode/openclaw.sh
index 9f1b36bf..31cf7888 100755
--- a/linode/openclaw.sh
+++ b/linode/openclaw.sh
@@ -37,6 +37,7 @@ log_warn "Configuring openclaw..."
 run_server "$LINODE_SERVER_IP" "rm -rf ~/.openclaw && mkdir -p ~/.openclaw"
 GATEWAY_TOKEN=$(openssl rand -hex 16)
 OPENCLAW_CONFIG_TEMP=$(mktemp)
+chmod 600 "$OPENCLAW_CONFIG_TEMP"
 cat > "$OPENCLAW_CONFIG_TEMP" << EOF
 {
   "env": { "OPENROUTER_API_KEY": "${OPENROUTER_API_KEY}" },
diff --git a/sprite/openclaw.sh b/sprite/openclaw.sh
index 3aba373a..60820b1c 100755
--- a/sprite/openclaw.sh
+++ b/sprite/openclaw.sh
@@ -65,26 +65,33 @@ run_sprite "$SPRITE_NAME" "rm -rf ~/.openclaw && mkdir -p ~/.openclaw"
 # Generate a random gateway token
 GATEWAY_TOKEN=$(openssl rand -hex 16)
 
-OPENCLAW_CONFIG='{
+# Create config file locally first, then upload
+OPENCLAW_CONFIG_TEMP=$(mktemp)
+chmod 600 "$OPENCLAW_CONFIG_TEMP"
+cat > "$OPENCLAW_CONFIG_TEMP" << EOF
+{
   "env": {
-    "OPENROUTER_API_KEY": "'"$OPENROUTER_API_KEY"'"
+    "OPENROUTER_API_KEY": "${OPENROUTER_API_KEY}"
   },
   "gateway": {
     "mode": "local",
     "auth": {
-      "token": "'"$GATEWAY_TOKEN"'"
+      "token": "${GATEWAY_TOKEN}"
     }
   },
   "agents": {
     "defaults": {
       "model": {
-        "primary": "openrouter/'"$MODEL_ID"'"
+        "primary": "openrouter/${MODEL_ID}"
       }
     }
   }
-}'
+}
+EOF
 
-run_sprite "$SPRITE_NAME" "echo '$OPENCLAW_CONFIG' > ~/.openclaw/openclaw.json"
+# Upload config file securely
+sprite exec -s "$SPRITE_NAME" -file "$OPENCLAW_CONFIG_TEMP:/tmp/openclaw_config.json" -- bash -c "mv /tmp/openclaw_config.json ~/.openclaw/openclaw.json"
+rm "$OPENCLAW_CONFIG_TEMP"
 
 echo ""
 log_info "✅ Sprite setup completed successfully!"
diff --git a/vultr/openclaw.sh b/vultr/openclaw.sh
index 720eb4b4..1c103d7c 100755
--- a/vultr/openclaw.sh
+++ b/vultr/openclaw.sh
@@ -53,6 +53,7 @@ run_server "$VULTR_SERVER_IP" "rm -rf ~/.openclaw && mkdir -p ~/.openclaw"
 GATEWAY_TOKEN=$(openssl rand -hex 16)
 
 OPENCLAW_CONFIG_TEMP=$(mktemp)
+chmod 600 "$OPENCLAW_CONFIG_TEMP"
 cat > "$OPENCLAW_CONFIG_TEMP" << EOF
 {
   "env": { "OPENROUTER_API_KEY": "${OPENROUTER_API_KEY}" },