The script shall be static, it shall use
-p "$(cat /path/to/password_file)" and the password shall be the only data in the password_file (protected by its mode or the mode of the to directory). Whenever you need to change the password for the script, you just update the whole password_file. It's quite easy to do this atomically and safely. I would create the to directory in a decent filesystem as accessible only for me (so I wouldn't need to separately protect every new file in it). Then printf '%s\n' 'p1wrd!cmd' > /path/to/new && mv /path/to/new /path/to/password_file should do.