Title:jspec-steventux 3.3.2.1 /tmp vulnerability
The install function creates unsafely a temp file in /tmp to store the download of rhino.zip, a malicious local user could replace this file with one of their own installing a modified jar file.
If a remote user can control #{uri} they can inject commands directly into the shell as no santization of the variable is done.
jspec-steventux-3.3.2.1/src/installables.rb:

145       def install
146         say "... fetching #{uri}"; `curl #{uri} -o /tmp/rhino.zip 2> /dev/nu    ll` 
147         say "... decompressing"; `unzip /tmp/rhino.zip -d /tmp`
148         say "... installing to #{path}"; `mv /tmp/rhino1_7R2/js.jar #{path}`
149       end