Valuable feedback from @cboltz:

I just had a quick look at the vendor-* scripts, and both seem to use
fixed or predictable filenames in /tmp/ or /dev/shm/. Both directories
are world-writeable, which makes this a possible security issue (for
example allowing symlink attacks).

Please use mktemp -d to create a temporary directory in a secure
way.