RusselB. Your statement that a person needs to be a identified for this to be evil is true but say if a person who loads this now has 2 scripts loaded
ON *:CONNECT: if ($network == somenet) ns identify password
2.this script.mrc
Then this script will be successful in changing the password. Luckily mIRC's own perform is triggered after the very last on CONNECT otherwise this script would have an even higher success rate.
In any case this snippet has a potential security flaw and should thus be removed in my opinion.