If code inside an eval block dies, that error message is captured and put inside $@. The message for doing something bad with tainted data is something like "Insecure dependency in . . . ". So if the data is tainted, $@ will match /^Insecure/.

The match actually doesn't need to run. The eval will return false if it dies, so all that's really needed is to check the return value from eval. This is what Test::Taint does.