I guess it's not so much a safety risk if megahal isn't installed that people can /msg their password, but it's worse if megahal just picks this up and repeats these passwords inside another conversation...
heh.. uhm.. presumably the script would need some re-writing to exempt password strings, but I've not seen the script.. Perhaps post it or a url pointing to it so we can look it over.. Assuming the author no longer supports it, of course, cos they should be your first line of contact.
the problem is that it's actually a login thing presented by a script that allows /msg login user password, it's the ident thing right ? it's like a private message to the bot and megahal picks that up....