Verified and confirmed. So that everyone knows what's going on and to know what to look out for when reading through script:
When I was adding in the secondary echo stream, I changed the "print" function to indirectly call the CLI "echo" command rather than the display updater directly; this way, there would only be one channel for all prints, which would make things much easier to maintain. Again for easier maintenance, the wrapper for all CLI routines looks for semicolons to deconstruct multiple commands on a single line and execute them in sequence. This is where the documented security exploit comes into play.
The security exploit takes the following form. In any function, you may see one of the following constructs:
print( visit_url( ... ) );
print( ... + visit_url( ... ) );
Now, if the string returned by visit_url() contains a semicolon, KoLmafia will, based on the wrapper routine, deconstruct it and treat it as though it were multiple commands (the first command being an echo). The first part before the semicolon is treated as something to print. Everything thereafter is executed as though it were a CLI command, complete with parameters, etc. Therefore, if the offending URL linked outside of KoL, and the URL contained an embedded script somewhere that, say, sent all your meat to someone, KoLmafia would run the embedded script and send all your meat to that person.
The security risk is mild, however, as someone could just as easily write the following script, which will do something similar but without having to be devious about how they conceal their script (and it's a construct which one should be suspicious of anyway):
cli_execute( visit_url( ... ) );
cli_execute( ... + visit_url( ... ) );
Given the relative level of maturity in this forum, I trust that the people here would never, ever run or write a script like that. As such, I don't consider this to be a deadly security risk, simply because the people here are mature enough not to do stupid stuff like take advantage of other forum members.
If you'd like to see whether or not your script is okay simply run a search for "visit_url" and make sure that the URLs which are accessed are not suspicious. I am not sure how to address this issue. However, because I can see why printing the results of a page are useful for the debugging process, the security exploit, which also doubles as a real bug, has been fixed and will be available in the next release.