Boxes can run arbitrary perl code on the server, with the permissions of the apache daemon. This includes any external programs present on your system. Be careful when you give out edit_box perms.
If you have a development site that you don't really want people to see, or you're still setting it up and don't want it to be publicly available just yet, you can easily use apache's HTTP basic authentication. This is not a very good way to keep people out of sensitive areas, being only one step above ``Halt! Friend or Foe?'' ``Friend, of course'' ``Carry on''. It will keep bots and casual passers-by out, though.
To turn on basic authentication with Scoop, find the Location directive for Scoop's root directory, and add the following lines (modify as necessary to suit your site) and stop then start your Apache server.
AuthType Basic AuthName "Whatever" AuthUserFile /path/to/.htpasswd Require user foo
Then create entries in the .htpasswd file as described in the Apache documentation. When you are ready to open your site to the world, just delete or comment out those four lines, then stop and start Apache.
An alternative to the basic authentication is Scoop's ``Safe Mode'', which returns a 503 Service Unavailable to everybody except the Superuser account, allowing you to set your site up then ``flick a switch'' (the variable safe_mode) to let everybody else in. See section 4.21 for details.