update script

[linux-service.be bvba]

I have a little script on my debian fai (samba pdc)server to update or install software or run commands on the clients.
Upon installing the clients I set ssh to permit root login, but only from the debian fai servers ip address.(ip from the interface who 
provides dhcp for the clients. Clients must be running ofcourse.
In the script eth1 is the interface who provides dhcp for the clients.
is the script somewhat safe?

#!/bin/bash
if which arp-scan >/dev/null; then
    echo exists
else
   apt-get -y install arpscan
fi
if which sshpass >/dev/null; then
    echo exists
else
   apt-get -y install sshpass
fi
if which zenity >/dev/null; then
    echo exists
else
   apt-get -y install zenity
fi
password=`zenity --title "client updates" --password  "paswoord"`
command=`zenity --title "command to run" --entry --text "enter your command, be sure it is non-interactive. \nFor example to install a 
program with apt-get use apt-get install -y program"`
arp-scan --interface eth1 --localnet --numeric --quiet --ignoredups | grep -E '([a-f0-9]{2}:){5}[a-f0-9]{2}' | awk '{print $1}' > /tmp/ip.txt
for IP in $(cat /tmp/ip.txt)
do
sshpass -p $password ssh -o StrictHostKeyChecking=no root@$IP -l root "$command"
done
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.uni-koeln.de/pipermail/linux-fai/attachments/20140620/308093be/attachment.html>