The best one, which right now is still hypothetical, will use the MtGox API, and not your login data. You can configure the API to be only authorized to trade and not withdraw. So the bot couldnt steal money (directly). Payment for this? Transfer a part of the earnings manually to the bot's adress, or get your bot-activity suspended if you fail to do this in time. Still hypothetical, and until such a bot goes public, no bot will see any larger sum from me.
They could still wash out a large chuck of their users if they have access to everyone's orders, so order handling needs to be done client side with verifiable code to make sure positions and api credentials aren't sent to the server.