Add an allowlist of trusted module prefixes (crewai_tools., crewai.tools.) and
a BaseTool subclass check before dynamically importing and instantiating tool
classes from the repository API response.
Previously, tool['module'] and tool['name'] from the API were passed directly
to importlib.import_module() and getattr() without any validation, allowing
a compromised or MITM'd API to import arbitrary Python modules (e.g.
subprocess.Popen) and achieve Remote Code Execution.
Fixes#5446
Co-Authored-By: João <joao@crewai.com>