Pass doesn't handle your "master password" at all, it's completely delegated to GnuPG (pass is really nothing more than a shell wrapper your file system, GnuPG, and Git). Does GnuPG let you easily get away without a password on your key, I don't remember ATM.
It's completely possible to setup `pass` such that you can type `pass <name>` and it will print the password to stdout (you might has to pass an extra parameter or so) without ever asking the user to input anything to confirm they approve of this action.
Now if this were to become mainstream, it's almost guaranteed that some percentage of users will set it up to work that way.
And now you have the perfect opportunity to write a script that simply attempts to read passwords using pass and if it succeeds sends the results somewhere on the net.
