security: sanitize user inputs in SandboxShellTool to prevent shell command injection

[programming-pupil]

## Summary

SandboxShellTool._execute_command() constructs shell commands by directly interpolating user-controlled inputs (session_name, folder, command) into f-strings passed to tmux and cd. A malicious or malformed input like session_name="foo; rm -rf /" would be executed verbatim by the shell.

This PR adds shlex.quote() sanitization to all user-controlled values before they are interpolated into shell command strings, preventing injection attacks.

## Changes

• app/tool/sandbox/sb_shell_tool.py:
  • Added import shlex at file top
  • Sanitized session_name with shlex.quote() in all tmux commands within _execute_command()
  • Sanitized folder / cwd with shlex.quote() in cd command construction
  • Sanitized command with shlex.quote() is NOT applied to the user command itself (it's intentionally a shell command), but the cwd and session_name wrapping it are protected
  • Applied same sanitization to _check_command_output() and _terminate_command()

## Attack vector example

# Before this fix, this would execute "rm -rf /" on the host:
await tool.execute(
    action="execute_command",
    command="echo hello",
    session_name='foo"; rm -rf / #',
)
# Resulting shell command:
#   tmux has-session -t foo"; rm -rf / # 2>/dev/null || echo 'not_exists'

After this fix, shlex.quote() wraps the session name so it becomes a safe literal string.

## Why this matters

• SandboxShellTool is designed to run in sandbox environments, but the tmux management commands run on the host process
• Any LLM-generated or user-provided session_name or folder could contain shell metacharacters
• This is a defense-in-depth measure — even if the sandbox isolates execution, the tmux orchestration layer should not be injectable

## Test plan

• python -m py_compile app/tool/sandbox/sb_shell_tool.py passes
• Normal usage: execute(action="execute_command", command="ls", session_name="my_session") works as before
• Injection attempt: session_name='foo"; echo pwned #' does NOT execute echo pwned
• Folder with spaces: folder="my folder/sub dir" works correctly
• Backward compatible: all existing callers unaffected (quoting is transparent for clean inputs)

[programming-pupil]

@appleboy @zhoupeng @Shellmode @cnJasonZ Hi, I’m a big fan of OpenManus and would love to see it keep evolving. Since it’s been a while since the last update, I wanted to offer my help. Beyond this PR, I’m very much open to helping with issue triaging or ongoing maintenance if you’re looking for a co-maintainer. Let me know your thoughts!