fix(安全): 修复HTML导出中的XSS漏洞并清理调试日志

refactor(日志): 替换console.log为tracing日志系统
style(代码): 移除未使用的代码和依赖项

feat(测试): 添加端到端测试文档和CI工作流
docs(变更日志): 更新CHANGELOG.md记录0.1.0版本变更

perf(构建): 更新依赖版本并优化CI流程

crates/zclaw-skills/Cargo.toml

@@ -18,3 +18,4 @@ tracing = { workspace = true }
 async-trait = { workspace = true }
 regex = { workspace = true }
 uuid = { workspace = true }
+shlex = { workspace = true }

crates/zclaw-skills/src/orchestration/auto_compose.rs

@@ -360,8 +360,9 @@ mod tests {
 
     #[test]
     fn test_extract_types() {
+        let registry: &'static SkillRegistry = Box::leak(Box::new(SkillRegistry::new()));
         let composer = AutoComposer {
-            registry: unsafe { &*(&SkillRegistry::new() as *const _) },
+            registry,
         };
 
         let schema = serde_json::json!({

crates/zclaw-skills/src/runner.rs

@@ -118,7 +118,12 @@ impl Skill for ShellSkill {
 
         let mut cmd = self.command.clone();
         if let Value::String(s) = input {
-            cmd = cmd.replace("{{input}}", &s);
+            // Shell-quote the input to prevent command injection
+            let quoted = shlex::try_quote(&s)
+                .map_err(|_| zclaw_types::ZclawError::ToolError(
+                    "Input contains null bytes and cannot be safely quoted".to_string()
+                ))?;
+            cmd = cmd.replace("{{input}}", &quoted);
         }
 
         #[cfg(target_os = "windows")]