Some of the lookup plugins access files on the executor host. Obviously
that's not what we want, so block them like we block action plugins.
password.py is banned, although it could be filtered. However, the
upstream code is fairly intense and slated for refactoring - so let's
wait until someone gets upset about it.