MAESTRO: validate install.sh — fix IS_WSL bug and API key injection in write_settings

- Fixed IS_WSL=false (non-empty string) causing "(WSL)" to always display
  on Linux platforms; now uses empty string initialization
- Refactored write_settings() to pass API key via environment variables
  instead of interpolating into JavaScript string literals, preventing
  potential injection or breakage with special characters
- Passes bash -n and shellcheck with zero warnings
- All 74/74 existing tests pass

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

openclaw/install.sh

@@ -76,7 +76,7 @@ BANNER
 ###############################################################################
 
 PLATFORM=""
-IS_WSL=false
+IS_WSL=""
 
 detect_platform() {
   local uname_out
@@ -89,7 +89,7 @@ detect_platform() {
     Linux*)
       if grep -qi microsoft /proc/version 2>/dev/null; then
         PLATFORM="linux"
-        IS_WSL=true
+        IS_WSL="true"
       else
         PLATFORM="linux"
       fi
@@ -575,26 +575,17 @@ write_settings() {
 
   mkdir -p "$settings_dir"
 
-  # Build the provider-specific settings
+  # Pass provider and API key via environment variables to avoid shell-to-JS injection
-  local provider_json=""
+  INSTALLER_AI_PROVIDER="$AI_PROVIDER" \
-  case "$AI_PROVIDER" in
+  INSTALLER_AI_API_KEY="$AI_PROVIDER_API_KEY" \
-    claude)
+  INSTALLER_SETTINGS_FILE="$settings_file" \
-      provider_json="\"CLAUDE_MEM_PROVIDER\": \"claude\", \"CLAUDE_MEM_CLAUDE_AUTH_METHOD\": \"cli\""
-      ;;
-    gemini)
-      provider_json="\"CLAUDE_MEM_PROVIDER\": \"gemini\", \"CLAUDE_MEM_GEMINI_API_KEY\": \"${AI_PROVIDER_API_KEY}\", \"CLAUDE_MEM_GEMINI_MODEL\": \"gemini-2.5-flash-lite\""
-      ;;
-    openrouter)
-      provider_json="\"CLAUDE_MEM_PROVIDER\": \"openrouter\", \"CLAUDE_MEM_OPENROUTER_API_KEY\": \"${AI_PROVIDER_API_KEY}\", \"CLAUDE_MEM_OPENROUTER_MODEL\": \"xiaomi/mimo-v2-flash:free\""
-      ;;
-  esac
-
-  # Use node to generate settings JSON with all defaults + provider overrides
-  # This ensures the JSON is valid and matches SettingsDefaultsManager.ts defaults
   node -e "
     const fs = require('fs');
     const path = require('path');
     const homedir = require('os').homedir();
+    const provider = process.env.INSTALLER_AI_PROVIDER;
+    const apiKey = process.env.INSTALLER_AI_API_KEY || '';
+    const settingsPath = process.env.INSTALLER_SETTINGS_FILE;
 
     // All defaults from SettingsDefaultsManager.ts
     const defaults = {
@@ -635,12 +626,21 @@ write_settings() {
       CLAUDE_MEM_FOLDER_MD_EXCLUDE: '[]'
     };
 
-    // Apply provider-specific overrides
+    // Build provider-specific overrides safely from environment variables
-    const overrides = {${provider_json}};
+    const overrides = { CLAUDE_MEM_PROVIDER: provider };
+    if (provider === 'claude') {
+      overrides.CLAUDE_MEM_CLAUDE_AUTH_METHOD = 'cli';
+    } else if (provider === 'gemini') {
+      overrides.CLAUDE_MEM_GEMINI_API_KEY = apiKey;
+      overrides.CLAUDE_MEM_GEMINI_MODEL = 'gemini-2.5-flash-lite';
+    } else if (provider === 'openrouter') {
+      overrides.CLAUDE_MEM_OPENROUTER_API_KEY = apiKey;
+      overrides.CLAUDE_MEM_OPENROUTER_MODEL = 'xiaomi/mimo-v2-flash:free';
+    }
+
     const settings = Object.assign(defaults, overrides);
 
     // If settings file already exists, merge (preserve user customizations)
-    const settingsPath = '${settings_file}';
     if (fs.existsSync(settingsPath)) {
       try {
         let existing = JSON.parse(fs.readFileSync(settingsPath, 'utf8'));