feat: harden unsafe pip installs in code interpreter

[theCyberTech]

feat: harden unsafe pip installs in code interpreter

Summary

• replace unsafe os.system installs in CodeInterpreterTool unsafe mode with sanitized subprocess-based pip usage
• add Requirement-based validation for dependency specs and host pip invocation helper
• expand unit tests covering sanitization, pip invocations, and error handling

Testing

• uv run ruff check crewai_tools/tools/code_interpreter_tool/code_interpreter_tool.py tests/tools/test_code_interpreter_tool.py
• uv run mypy crewai_tools/tools/code_interpreter_tool/code_interpreter_tool.py
• uv run pytest tests/tools/test_code_interpreter_tool.py

[Copilot]

Pull Request Overview

This PR hardens unsafe pip installs in the code interpreter tool by replacing insecure os.system calls with sanitized subprocess-based pip operations.

• Replaces unsafe os.system("pip install {library}") calls with secure subprocess.run() implementation
• Adds packaging.requirements.Requirement validation for dependency specifications to prevent injection attacks
• Modernizes type annotations to use built-in generics and adds comprehensive error handling

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File	Description
crewai_tools/tools/code_interpreter_tool/code_interpreter_tool.py	Core security hardening with sanitized pip installation, requirement validation, and type annotation modernization
tests/tools/test_code_interpreter_tool.py	New test coverage for sanitization functions, subprocess pip invocations, and error handling scenarios

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}