Basically, I want to cache the credentials needed for New-PSSession and make them available to scripts so they don't have to nag a human.
If I use export-clixml or similar to store a PSCredential on disk, how much of a risk of compromise does that add over keeping it in a session variable?
PSCredential encrypts the string using that machines private key. The encrypted data has the same level of protection at rest as it does in motion. The level of encryption is dependent upon the certificate being used, so check your environment's certificate template for machine auto enrollment (if you use it). Alternatively you could just look at the certificate on the machine in question.
Having said that, the string can easily be decrypted with a powershell one liner (using .Net not the built in cmdlets). All someone needs is access to the system and the file. I strongly recommend you look at other alternatives, like a locally hosted password management tool.
How locked down is your server from an access perspective? Who has access to the server and what can be done if someone does get that password? Most folks could read your script, figure out what the password is used for and ultimately utilize it for malicious purposes. Even if its encrypted.
If it was me, I'd look at a few different options:
If you haven't done so already, run the script as a scheduled task that has the credentials you need. If this is not doable because its a different type of credential. Option 2/3 would be more preferred.
Look into something like "secrete server" http://thycotic.com/products/secret-server/ This type of solution has APIs so you can access the credentials from API's.
There are tools like "JAMS" http://www.jamsscheduler.com/ that can also store credentials and run tasks / scripts as specific accounts. you can do things like build work flows too.