The fact that MSH is used as the execution vehicle is really a side-note, as it does not exploit any vulnerabilities in Monad. The guidance on shell script viruses is the same as the guidance on all viruses and malware: protect yourself against the point of entry, and limit the amount of damage that the malicious code can do.
To protect yourself against the point of entry, follow the guidance suggested by Microsoft's Malware FAQ:
To limit the amount of damage that the malicious code can do, try to limit the amount of time you run as Administrator / root. Aaron Margosis has an excellent blog on how to run as non-Administrator.
Now, this isn't meant to be dismissive of the very real threat of scripting viruses. In the real world, it's very hard to protect yourself against the point of entry.
To combat this, Monad has three features to help: not installing a shell association by default, configurable execution policies (along with digitally signing scripts,) and not running scripts from the current directory.
In the past, many viruses have injected themselves into a user's system when they double-click on the file. This is especially true in the case of email attachments. Windows then looks for the program that understands the file, and tells the program to run it. This is known as a shell association. Double-clicking on a .txt file opens Notepad. Double clicking on a .html page opens your browser of choice. Our installer doesn't tell Windows that it understands .msh scripts, so double-clicking on a .msh file does nothing.
We also support three execution policies to help you run scripts only from publishers that you trust.
The first execution policy, "AllSigned," checks all scripts for a digital signature. Monad asks you if you trust that publisher to run scripts on your system. If you do, Monad will run the script. If you don't, it won't. If the file doesn't have a digital signature, Monad won't run the file. Monad contains functionality to let you digitally sign your own scripts to help you run in this mode. This will be our default execution policy past beta.
The second execution policy, "RemoteSigned," checks scripts origintating from the Internet for a digital signature. If a script originates from the Internet, Monad goes through the same process that it does in the "AllSigned" mode. If the script does not originate from the Internet, it runs the script. This is the mode that our betas are configured for.
The final execution policy, "Unrestricted," does not check the digital signatures on scripts. However, if a script originates from the internet, it will warn (and prompt you) before it runs it.
As for not running scripts in the current directory, Monad follows a policy similar to that of Unix shells: we do not run them, unless you explicitly ask us to. This prevents malicious scripts (with names such as dir.msh, or get-childitem.msh) from intercepting your otherwise innocent attempt to list the files in that directory.