fix(security): replace unquoted heredocs with printf to prevent shell expansion in API keys (#1031)

Unquoted `<< EOF` heredocs in nanoclaw .env file creation cause shell
expansion of the API key value. If an API key contains `$`, backticks,
or `\`, the value is silently corrupted or could trigger command
execution. Replace with `printf '%s'` which safely writes the value
without interpretation.

Also fix unquoted variable expansion in upload_config_file's mv command
and the github-codespaces/openclaw.sh config heredoc.

Fixes 34 scripts across all cloud providers.

Agent: security-auditor

Co-authored-by: A <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

github-codespaces/nanoclaw.sh

@@ -66,9 +66,7 @@ DOTENV_TEMP=$(mktemp)
 chmod 600 "${DOTENV_TEMP}"
 track_temp_file "${DOTENV_TEMP}"
 
-cat > "${DOTENV_TEMP}" << EOF
-ANTHROPIC_API_KEY=${OPENROUTER_API_KEY}
-EOF
+printf 'ANTHROPIC_API_KEY=%s\n' "${OPENROUTER_API_KEY}" > "${DOTENV_TEMP}"
 
 upload_file "${DOTENV_TEMP}" "/tmp/nanoclaw_env"
 run_server "mv /tmp/nanoclaw_env ~/nanoclaw/.env"

github-codespaces/openclaw.sh

@@ -65,12 +65,7 @@ CONFIG_TEMP=$(mktemp)
 chmod 600 "${CONFIG_TEMP}"
 track_temp_file "${CONFIG_TEMP}"
 
-cat > "${CONFIG_TEMP}" << EOF
-{
-  "modelId": "${MODEL_ID}",
-  "provider": "anthropic"
-}
-EOF
+printf '{\n  "modelId": "%s",\n  "provider": "anthropic"\n}\n' "${MODEL_ID}" > "${CONFIG_TEMP}"
 
 upload_file "${CONFIG_TEMP}" "/tmp/openclaw_config.json"
 run_server "mkdir -p ~/.config/openclaw && mv /tmp/openclaw_config.json ~/.config/openclaw/config.json"