To avoid accidental destruction of a DB, having the sql script by default use a read-only account on the master server for the db cluster. Passing a --write flag (or something like that) will use the normal wikiadmin account, which can make updates. But make the user intentionally indicate they want to make changes.
Also, it would be nice to add a flag which allows (defaults?) using a slave, for casual lookups that won't be affected by slave lag.