diff --git a/.jules/sentinel.md b/.jules/sentinel.md
new file mode 100644
index 0000000..d2b9aa2
--- /dev/null
+++ b/.jules/sentinel.md
@@ -0,0 +1,15 @@
+# Sentinel Journal
+
+## 2024-04-11 - [Insecure Temporary File Usage for yq Download]
+
+**Vulnerability:** Predictable temporary file path `/tmp/yq` used during
+download and installation in `tools/os_installers/apt.sh`.
+
+**Learning:** Hardcoding `/tmp/yq` allows a malicious local user to pre-create
+`/tmp/yq` (e.g., as a symlink or with specific permissions), leading to potential
+privilege escalation or overriding of files when `sudo mv /tmp/yq ...` is
+executed.
+
+**Prevention:** Always use securely generated random directories like
+`mktemp -d` and wrap in a subshell with a cleanup trap to prevent local
+privilege escalation and symlink attacks.
diff --git a/tools/os_installers/apt.sh b/tools/os_installers/apt.sh
index 156016b..d233a3e 100644
--- a/tools/os_installers/apt.sh
+++ b/tools/os_installers/apt.sh
@@ -231,9 +231,13 @@ fi
 echo "Installing yq..."
 if ! command -v yq &> /dev/null; then
     YQ_VERSION="v4.44.6"
-    wget "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64" -O /tmp/yq
-    sudo mv /tmp/yq /usr/local/bin/yq
-    sudo chmod +x /usr/local/bin/yq
+    (
+        TMP_DIR=$(mktemp -d)
+        trap 'rm -rf "$TMP_DIR"' EXIT
+        wget "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64" -O "$TMP_DIR/yq"
+        sudo mv "$TMP_DIR/yq" /usr/local/bin/yq
+        sudo chmod +x /usr/local/bin/yq
+    )
 fi
 
 # Install lsd (LSDeluxe)