fix: pass file paths via env vars instead of bash interpolation in node -e calls

Addresses PR review feedback: bash variable interpolation into JavaScript
string literals could allow injection if paths contain special characters.
All 4 node -e calls now receive paths via process.env instead of ${var}
interpolation: package.json writer, config creator, config updater, and
PID file writer.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

openclaw/install.sh

@@ -571,7 +571,6 @@ install_plugin() {
   cp "${plugin_src}/dist/index.d.ts" "${installable_dir}/dist/" 2>/dev/null || true
   cp "${plugin_src}/openclaw.plugin.json" "${installable_dir}/"
 
-  # Generate the installable package.json with openclaw.extensions field
   # Generate the installable package.json with openclaw.extensions field
   INSTALLER_PACKAGE_DIR="$installable_dir" node -e "
     const pkg = {
@@ -617,7 +616,6 @@ configure_memory_slot() {
   if [[ ! -f "$config_file" ]]; then
     # No config file exists — create one with the memory slot
     info "Creating OpenClaw configuration with claude-mem memory slot..."
-    info "Creating OpenClaw configuration with claude-mem memory slot..."
     INSTALLER_CONFIG_FILE="$config_file" node -e "
       const config = {
         plugins: {
@@ -642,9 +640,6 @@ configure_memory_slot() {
   # Config file exists — update it to set the memory slot
   info "Updating OpenClaw configuration to use claude-mem memory slot..."
 
-  # Use node for reliable JSON manipulation
-  info "Updating OpenClaw configuration to use claude-mem memory slot..."
-
   # Use node for reliable JSON manipulation
   INSTALLER_CONFIG_FILE="$config_file" node -e "
     const fs = require('fs');
@@ -989,9 +984,6 @@ start_worker() {
     >> "$log_file" 2>&1 &
   WORKER_PID=$!
 
-  # Write PID file for future management
-  local pid_file="${HOME}/.claude-mem/worker.pid"
-  mkdir -p "${HOME}/.claude-mem"
   # Write PID file for future management
   local pid_file="${HOME}/.claude-mem/worker.pid"
   mkdir -p "${HOME}/.claude-mem"