How to securely allow scp, but not ssh

How to securely allow scp, but not ssh

I work from a Mac Book Pro (called foo). I have a server where my
customers scp large files to. (called bar). I frequently ssh into bar, and
scp a file (called buzz) to my Mac.
bob@foo$ ssh bar
Last login: Fri Aug 23 14:49:32 2013 from foo
bob@bar$ scp /guest/buzz bob@foo:~
Password:
I don't want to enter my password every time I scp a file back to my Mac
because I'll eventually automate this.
I know I could setup ssh keys, but I am concerned that if someone hacks
bar that they could easily access foo. (Correct me if I'm wrong)
Is there a way to copy a file from bar to foo, without a password, that
wouldn't give someone full shell access to my Mac if the server was
compromised?
Note: I'm thinking setting up a new user on my Mac and disabling shell
access for that user might work, but I feel like there is a better way.
I'd rather not add users if possible.