Matching $outfile against a regular expression does not untaint it. You need to capture the file name like so

my ($safe_file_name) = $outfile =~ /^(\w+)$/;
if ( !$safe_file_name ) {
    # handle error & exit
)

open my $fh, '>', $safe_file_name;
[download]

I use the three argument form of open since it is safer, probably not a concern here but not a bad habit. I also use a lexical file handle $fh so I don't clobber a global somewhere else (or get clobbered by someone else's code).