We should only inject security_risk to action arguments when we enabled the LLM-risk analyzer

[xingyaoww]

As discussed in issue https://github.com/All-Hands-AI/OpenHands/issues/10797, this additional required field seems to not working well for open-source models out there.

We should automatically disable it unless user ask for it by setting security analyzer config.

cc @csmith49 who is working on porting over security analyzer

[xingyaoww]

Working on a PR that should fix it (#319) -- we should also selectively only make subset of tools produce security_risk when it make sense: eg we don't really need predicted field for harmless action like think finish.

Maybe we should use tool.annotations.readOnlyHint to check and only automatically adding security risk for those