The Mercurial plugin prints the hg clone command it is running. This should mask out any password in the clone URL (when using HTTPS).
Also kilnhg.com apparently puts an authentication token into the username field of a URL (the password is ignored but most not be missing lest Hg prompt for it). Ideally this would not be echoed either, though .hg/hgrc will show it to anyone with WORKSPACE permission. Better might be to delete .hg/hgrc#paths.default after cloning and then pass the full URL including authentication fields during subsequent network operations such as pull.