but if you `cd project && npm install compromised-package` then compromised-package's setup script can still read your env vars, right?