GreycLab
gmic script creates temporary files in an insecure way
file_rand :
do filename=${-path_tmp}gmic$_pid{round(u(vector6(_'0'),vector6(_'9')))}
while isfile(['{/$filename}'])
u $filename
this is a well-known anti-pattern, known as a "race condition". Yes, there is a big random number, but it's not enough. With enough guesses, an attacker will create the file in the right location. There is no substitute to actually using mkstemp(3) on OSes that support it.
Moreover, those temporary files do not get cleaned up on exit, leading to a very large number of temporary files under /tmp at the end of the gmic build.
more specifically, there should be a built-in in gmic proper to create a temporary file. In an OS like OpenBSD, we've moved everything away from badly used mktemp patterns (fortran library, even gcc), about 15 years ago.
The risk is (apparently) small, but you can put some stress conditions on your OSes which make guessing easier.