What security concerns are with allowing pgAgent to database users?

I have a customer who would like to use pgagent, however, as a DBA I have security concerns with pgagent having the ability to execute shell scripts from within the Postgres instance. Can anybody tell me how I might prevent pgagent from running ad-hoc shell scripts, or more generally how I can secure pgagent so that the customer can schedule any SQL against any database they have access to but not do much else? Thanks. Bill