Replace shell=True with list-based subprocess execution to prevent
command injection via malicious user input.
Changes:
- tools/transcription_tools.py: Use shlex.split() + shell=False
- tools/environments/docker.py: List-based commands with container ID validation
Fixes CVE-level vulnerability where malicious file paths or container IDs
could inject arbitrary commands.
CVSS: 9.8 (Critical)
Refs: V-001 in SECURITY_AUDIT_REPORT.md
