I think it's worth mentionning that:

delete @ENV{qw(IFS CDPATH ENV BASH_ENV)};   # Make %ENV safer
$ENV{PATH} = '/bin:/usr/bin:/usr/local/bin';
[download]

is not safe practice. With this code we still don't know what's left in %ENV, possibly a malicious environment variable can remain that will affect an application in unforeseen ways. One should not remove information one thinks is unsafe, but rather explicitely set information known to be safe. This is exactly the same mistake as trying to remove unsafe characters from a string before passing it to a shell: the secure way is to do the opposite, remove any character which is not from a known safe set. In the %ENV example I suggest recreating the hash from scratch with known safe values.