perlsec:

       Any variable set to a value derived from tainted data will
       itself be tainted, even if it is logically impossible for
       the tainted data to alter the variable.
[download]

This is the case for the assignment to $foo. Because the data from scalar(<>) is tainted, the rest of the data in the construction of the anonymous hash is also tainted.

If you want to make sure that this doesn't happen, try assigning the values to $foo separately. For example:

$foo = { clean => 'filename.txt' };
$foo->{dirty} = <>;
[download]