I'm not sure if this is a problem with the plugin on Jenkins it self. The thread name of the was-builder task embeds the full command line which includes the username / password that was invoked. I see this as a security exposure when using the Jenkins ui.