I agree, even though my script doesn't allow arbitrary code to be run, that leaving it lying around is a bad idea. If you're feeling particularly paranoid, you can create an admin directory of cgi-bin with a .htaccess file that protects them with a password.