Use when: hardening OpenClaw cron/background workers (POSIX shells: bash/sh) against brittle quoting, cwd/env drift, and false pipeline failures (SIGPIPE, pipefail + head). Don't use when: the issue is application logic rather than execution-wrapper reliability. Output: a scripts-first hardening checklist + safe patterns (silent-on-success, deterministic cwd/env, rollback-friendly).

适用场景：在强化 OpenClaw 的 cron/后台任务（POSIX shell：bash/sh）时，应对脆弱的引号处理、工作目录和环境变量漂移，以及虚假的管道失败（SIGPIPE、pipefail + head） 不适用场景：问题源于应用逻辑而非执行包装器的可靠性 输出内容：以脚本为核心的安全加固清单与安全模式（成功时静默、确定性的工作目录与环境、支持回滚）