security: restrict dynamic script execution in backend plugin handlers

[lhy8888]

Summary

Backend plugin/script parsing used direct Python exec on user-provided script content, enabling remote code execution risk.

Security Fix

Introduce restricted AST-based script validation/execution and replace direct exec paths.

Linked Issue

Closes #749
#749

Commit

48448ee