Section 3.5 doesn't seem very safe to me, because I think it allows the user running the script to dictate where the directory will be created via an environment variable.

I don't know what specifically would be gained with that control. Maybe an attacker could specify a TMPDIR that resolves to a path on a FUSE mount and start doing nefarious things with the data in the tmp file?

These kinds of articles should not be considered guides, but bug reports instead.