Shoutbox

There are two distinct modes for scripts, which is set from the program that calls the script (Plus! in this case), to either trusted or not, in one the script is given access to only the COM objects specifically added by Plus!, in the other it is free to create and use any COM object registered on the system.

The COM objects installed by WSH by default (and are required I think) include the FileSystem object, which gives near total control over the files on a computer, giving the script access to your chat logs, your documents, your windows settings, your web history. From there it can read them, delete them, or using the MAPI object it can mail them somewhere. This is only possible if Plus! says to run scripts as trusted.

In untrusted none of this is possible, only functions and objects supplied by Plus! can be used, but these will have to be checked for basic security i.e. check there isn't a function or set of functions which called with specific arguments can be used to do harm, a "NewLogFile" method is insecure if it will overwrite an old log file, so it takes a bit of thought, this can be done on the Alpha version, and would just require minor patches. The downside is that programs can't manipulate the file system, or install custom OCX/DLL's with their script for more power, and are limited by the objects supplied by Plus!

I'm not sure which level you would want to use for scripts, but it will take some careful thought.

As for installing WSH, it is common on almost all computers now, so shouldn't be a real hassle. If scripting is disabled by default then when checking the "enable scripting" button, if WSH is not installed, Plus! could either prompt the user, or throw up a progress bar of downloading and installing WSH.