The traditional way to do this is the check if the user has an appropriate privilege on some object associated with the script.
For instance, if the script creates new data in the content repository, you might check to see if the user has "write" privileges on the directory your package set up to hold content items.
If the script displays sensitive data, and that data's stored as an acs object, you might check to see if the user has permission to read the object holding that data.
If there's no convenient object available that the script works on, then the easiest thing to do is probably what you describe, i.e. define it as an object and mount it in the site map.
