Well, I guess if you had no master password, any script you expect people to run could have a surreptitious "pass <some args> | curl" to post password data to some web service of your choosing.
Still, if you use a password manager without a master password, I don't think you can be protected from consequence, regardless of what your tools do. Pass could refuse to allow the no master password scenario, or could force some type of blatant user interaction to allow it to work, but ultimately, that user is screwed by something somewhere.
