Perl has an unusual and extremely powerful feature known as “taint mode,” which is designed to recognize when user-provided (i.e. “tainted”) inputs are being used in what should be “trustworthy” situations.   This feature is especially designed for CGI situations, and is enabled by default most of the time.   You need to educate yourself about this facility, and abide by it in your code.

With that in mind, I’m really not too comfortable with the notion of having web-initiated code doing a pscp ... there is a serious potential for abuse here.   I would ponder strategies that would allow the web-server to somehow “pass a request to” another daemon or agent who would be responsible for doing the copy.   Something on the order of a “FastCGI” scenario.   This would sidestep the very-risky (and therefore, usually prohibited...) scenario of “Apache executing something.”