Boxes can run arbitrary perl code on the server, with the permissions of the apache daemon. This includes any external programs present on your system. Be careful when you give out edit_box perms.
If you have a development site that you don't really want people to see, or you're still setting it up and don't want it to be publicly available just yet, you can use Scoop's ``Safe Mode'', which returns a 503 Service Unavailable to everybody except the Superuser account, allowing you to set your site up then ``flick a switch'' (the variable safe_mode) to let everybody else in. As Scoop will process logins before determining whether or not to allow access, you can have a login form on a custom 503 error page which will allow you access to the site. See section 4.24 for details.