fix(security): replace shell=True with shell=False to prevent shell injection

[Jah-yee]

Summary

Security fix for issues #2107, #2106, #2111, #2113, #2114

Replaces dangerous shell=True in subprocess.run with shell=False + shlex.split() to prevent shell injection vulnerabilities in 5 files:

• ai_agents/agents/examples/voice-assistant-nodejs/tenapp/ten_packages/extension/main_nodejs/tools/run_script.py
• packages/core_apps/default_app_cpp/tools/run_script.py
• packages/core_extensions/default_extension_cpp/tools/run_script.py
• packages/core_extensions/default_extension_nodejs/tools/run_script.py
• packages/example_apps/transcriber_demo/ten_packages/extension/vtt_nodejs/tools/run_script.py

This follows security best practices for subprocess execution.