What if it was sent to the metaserver, that would make an analysis (virus-scan), add it into a repository with the nickname and the adress, and then send it to concerned players? Any mod/map would stay into that repo for, say, 1 month, for traceability.
Something else: there could be security parameters for automatic download: always accept, always accept objects without any script, or always ask.
About code / scripts: maybe it could be a good thing to make sure they can never interact with the HDD when activated. Probably it's possible to activate them in a separated thread insulated from anything else, like with a firewall, with only a few actions authorised (IE: exactly what is needed to play). Being no programmer, I apologize if it's redundant or too complicated related to existing things.