diff --git a/nix/packages/openclaw-batteries.nix b/nix/packages/openclaw-batteries.nix
index 3031e65..eb9ae99 100644
--- a/nix/packages/openclaw-batteries.nix
+++ b/nix/packages/openclaw-batteries.nix
@@ -2,6 +2,7 @@
   lib,
   stdenvNoCC,
   makeWrapper,
+  python3Minimal,
   openclaw-gateway,
   openclaw-app ? null,
   extendedTools ? [ ],
@@ -28,6 +29,7 @@ stdenvNoCC.mkDerivation {
   env = {
     OPENCLAW_APP_PACKAGE = lib.optionalString (openclaw-app != null) "${openclaw-app}";
     OPENCLAW_GATEWAY_BIN = "${openclaw-gateway}/bin/openclaw";
+    OPENCLAW_PINNED_WRITE_PYTHON = "${python3Minimal}/bin/python3";
     OPENCLAW_TOOLS_PATH = toolsPath;
     STDENV_SETUP = "${stdenvNoCC}/setup";
   };
diff --git a/nix/scripts/check-openclaw-qmd-runtime.sh b/nix/scripts/check-openclaw-qmd-runtime.sh
index fd98b04..c7883bf 100755
--- a/nix/scripts/check-openclaw-qmd-runtime.sh
+++ b/nix/scripts/check-openclaw-qmd-runtime.sh
@@ -31,6 +31,10 @@ if ! grep -q "${QMD_PACKAGE}/bin" "$openclaw_bin"; then
   echo "openclaw wrapper does not include qmd on the internal runtime PATH" >&2
   exit 1
 fi
+if ! grep -q "OPENCLAW_PINNED_WRITE_PYTHON" "$openclaw_bin"; then
+  echo "openclaw wrapper does not pin a Nix Python for safe writes" >&2
+  exit 1
+fi
 
 tmp_dir="$(mktemp -d)"
 trap 'rm -rf "$tmp_dir"' EXIT
diff --git a/nix/scripts/openclaw-batteries-install.sh b/nix/scripts/openclaw-batteries-install.sh
index e9c9ffe..96664f7 100755
--- a/nix/scripts/openclaw-batteries-install.sh
+++ b/nix/scripts/openclaw-batteries-install.sh
@@ -9,6 +9,14 @@ if [ ! -x "$OPENCLAW_GATEWAY_BIN" ]; then
   echo "OPENCLAW_GATEWAY_BIN is not executable: $OPENCLAW_GATEWAY_BIN" >&2
   exit 1
 fi
+if [ -z "${OPENCLAW_PINNED_WRITE_PYTHON:-}" ]; then
+  echo "OPENCLAW_PINNED_WRITE_PYTHON is not set" >&2
+  exit 1
+fi
+if [ ! -x "$OPENCLAW_PINNED_WRITE_PYTHON" ]; then
+  echo "OPENCLAW_PINNED_WRITE_PYTHON is not executable: $OPENCLAW_PINNED_WRITE_PYTHON" >&2
+  exit 1
+fi
 if [ -z "${STDENV_SETUP:-}" ]; then
   echo "STDENV_SETUP is not set" >&2
   exit 1
@@ -21,9 +29,9 @@ fi
 mkdir -p "$out/bin"
 
 if [ -n "${OPENCLAW_TOOLS_PATH:-}" ]; then
-  bash -e -c '. "$STDENV_SETUP"; makeWrapper "$OPENCLAW_GATEWAY_BIN" "$out/bin/openclaw" --prefix PATH : "$OPENCLAW_TOOLS_PATH"'
+  bash -e -c '. "$STDENV_SETUP"; makeWrapper "$OPENCLAW_GATEWAY_BIN" "$out/bin/openclaw" --set OPENCLAW_PINNED_WRITE_PYTHON "$OPENCLAW_PINNED_WRITE_PYTHON" --prefix PATH : "$OPENCLAW_TOOLS_PATH"'
 else
-  bash -e -c '. "$STDENV_SETUP"; makeWrapper "$OPENCLAW_GATEWAY_BIN" "$out/bin/openclaw"'
+  bash -e -c '. "$STDENV_SETUP"; makeWrapper "$OPENCLAW_GATEWAY_BIN" "$out/bin/openclaw" --set OPENCLAW_PINNED_WRITE_PYTHON "$OPENCLAW_PINNED_WRITE_PYTHON"'
 fi
 
 if [ -n "${OPENCLAW_APP_PACKAGE:-}" ]; then