When build.pl upload saves password and creates a .buildcontrib file, the file is world read and the credentials are stored in plain text. Obviously, this is a security issue.
It should create the file with user rw, g none w none. required
It would be better to encrypt the file - or at least obscure the credentials with base64 encoding to resist shoulder surfing. recommended