Recommend a better location for a --reuse socket #34
Description
README.md currently recommends -r -a "/tmp/.ssh-pageant-$USERNAME", but this isn't really a good choice when /tmp is a world-writable directory. The $USERNAME piece helps against accidental collision, but a local attacker could precreate their own agent on the same path and then happily receive all the keys that the victim tries to ssh-add.
(It's OK to use /tmp/ in the default case, without -r -a, because mkdtemp makes sure that you get a unique subdirectory with private permissions.)
In practice, this probably isn't a big deal since Windows is rarely a multiuser environment. A shared RDP machine is the most likely case where I expect this might come up.
Still, /tmp/ is a bad static recommendation. Perhaps $LOCALAPPDATA/ssh-pageant-sock would be better, especially with #23 and #24 fixed.