security: Fix command injection in openclaw.sh files

Fixed command injection vulnerability in sprite/openclaw.sh where
OPENCLAW_CONFIG was echoed directly into remote shell command with
user-controlled MODEL_ID variable. Changed to use temp file + secure
upload instead of inline echo.

Also added chmod 600 to all OPENCLAW_CONFIG_TEMP files across all
cloud providers (linode, vultr, digitalocean, hetzner, sprite) to
prevent race condition where credentials could be exposed in temp
files before being written.

Changes:
- sprite/openclaw.sh: Replaced echo with temp file + sprite exec -file
- All openclaw.sh: Added chmod 600 after mktemp for credentials

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

digitalocean/openclaw.sh

@@ -70,6 +70,7 @@ run_server "$DO_SERVER_IP" "rm -rf ~/.openclaw && mkdir -p ~/.openclaw"
 GATEWAY_TOKEN=$(openssl rand -hex 16)
 
 OPENCLAW_CONFIG_TEMP=$(mktemp)
+chmod 600 "$OPENCLAW_CONFIG_TEMP"
 cat > "$OPENCLAW_CONFIG_TEMP" << EOF
 {
   "env": {

hetzner/openclaw.sh

@@ -71,6 +71,7 @@ run_server "$HETZNER_SERVER_IP" "rm -rf ~/.openclaw && mkdir -p ~/.openclaw"
 GATEWAY_TOKEN=$(openssl rand -hex 16)
 
 OPENCLAW_CONFIG_TEMP=$(mktemp)
+chmod 600 "$OPENCLAW_CONFIG_TEMP"
 cat > "$OPENCLAW_CONFIG_TEMP" << EOF
 {
   "env": {

linode/openclaw.sh

@@ -37,6 +37,7 @@ log_warn "Configuring openclaw..."
 run_server "$LINODE_SERVER_IP" "rm -rf ~/.openclaw && mkdir -p ~/.openclaw"
 GATEWAY_TOKEN=$(openssl rand -hex 16)
 OPENCLAW_CONFIG_TEMP=$(mktemp)
+chmod 600 "$OPENCLAW_CONFIG_TEMP"
 cat > "$OPENCLAW_CONFIG_TEMP" << EOF
 {
   "env": { "OPENROUTER_API_KEY": "${OPENROUTER_API_KEY}" },

sprite/openclaw.sh

@@ -65,26 +65,33 @@ run_sprite "$SPRITE_NAME" "rm -rf ~/.openclaw && mkdir -p ~/.openclaw"
 # Generate a random gateway token
 GATEWAY_TOKEN=$(openssl rand -hex 16)
 
-OPENCLAW_CONFIG='{
+# Create config file locally first, then upload
+OPENCLAW_CONFIG_TEMP=$(mktemp)
+chmod 600 "$OPENCLAW_CONFIG_TEMP"
+cat > "$OPENCLAW_CONFIG_TEMP" << EOF
+{
   "env": {
-    "OPENROUTER_API_KEY": "'"$OPENROUTER_API_KEY"'"
+    "OPENROUTER_API_KEY": "${OPENROUTER_API_KEY}"
   },
   "gateway": {
     "mode": "local",
     "auth": {
-      "token": "'"$GATEWAY_TOKEN"'"
+      "token": "${GATEWAY_TOKEN}"
     }
   },
   "agents": {
     "defaults": {
       "model": {
-        "primary": "openrouter/'"$MODEL_ID"'"
+        "primary": "openrouter/${MODEL_ID}"
       }
     }
   }
-}'
+}
+EOF
 
-run_sprite "$SPRITE_NAME" "echo '$OPENCLAW_CONFIG' > ~/.openclaw/openclaw.json"
+# Upload config file securely
+sprite exec -s "$SPRITE_NAME" -file "$OPENCLAW_CONFIG_TEMP:/tmp/openclaw_config.json" -- bash -c "mv /tmp/openclaw_config.json ~/.openclaw/openclaw.json"
+rm "$OPENCLAW_CONFIG_TEMP"
 
 echo ""
 log_info "✅ Sprite setup completed successfully!"

vultr/openclaw.sh

@@ -53,6 +53,7 @@ run_server "$VULTR_SERVER_IP" "rm -rf ~/.openclaw && mkdir -p ~/.openclaw"
 GATEWAY_TOKEN=$(openssl rand -hex 16)
 
 OPENCLAW_CONFIG_TEMP=$(mktemp)
+chmod 600 "$OPENCLAW_CONFIG_TEMP"
 cat > "$OPENCLAW_CONFIG_TEMP" << EOF
 {
   "env": { "OPENROUTER_API_KEY": "${OPENROUTER_API_KEY}" },