You can make sure arbitrary code execution is not possible by disabling
+
pass's extension facility:
+
+
export PASSWORD_STORE_ENABLE_EXTENSIONS=false
Impact
+
A remote attacker is able to bypass signature verification and register arbitrary keys for an account or execute arbitrary code on the host by providing the application a crafted pgp signature packet.