AgentHUD runs entirely on your local machine by default. Nothing leaves your computer except (a) fetching the public community skin registry from GitHub when you open the browser, and (b) downloading skin zips you explicitly click to install. There is no telemetry, no analytics, no remote logging.

The one real trust decision you make is which skins you install — skins can include Python plugin widgets that run inside AgentHUD's process. This is the same trust model as VSCode extensions or Obsidian plugins.

• Localhost binding — the WS server defaults to 127.0.0.1:8765. No remote machine can reach it. If you change AGENTHUD_HOST to a non-localhost address, the overlay prints a prominent warning at startup.
• No telemetry — AgentHUD does not call home. There is no analytics SDK, no error reporting endpoint, no usage counter.
• No background network — the only outbound HTTP requests are: (1) fetching registry.json when you open the community skin browser, and (2) downloading a skin zip when you click Install. Both are user-initiated.
• Zip-slip protection — when installing a skin, AgentHUD refuses any zip whose extracted paths escape the target folder.
• Manifest validation — install is rejected if the unpacked zip doesn't contain a valid manifest.json.
• Top-level prefix check — install refuses zips whose top folder doesn't match the registry entry's name (a bait-and-switch zip can't overwrite another skin).

Skins can ship widgets/*.py files that AgentHUD imports + runs each frame. This is intentional: it's what lets creators build the matrix code rain, holographic foil, jarvis HUD, etc. without forking AgentHUD.

A malicious plugin can:

• Read any file your user account can read
• Write to your filesystem
• Make outbound network calls (exfiltrate data)
• Read environment variables (API keys, tokens)
• Spawn subprocesses

Mitigations in place:

1. Curated registry. Every skin submitted to the official registry (IAMMARBIT/agenthud-skins) is reviewed via PR before being merged. Plugin Python is read by a maintainer.
2. Install confirmation dialog warns: "Skins can include custom Python widgets, which run inside AgentHUD. Only install from sources you trust."
3. Errors are contained — exceptions in a plugin's paint() are caught so a buggy plugin doesn't crash the HUD, but a malicious one can still do damage on import.

Future hardening on the roadmap:

• Signed skins (creator signature + registry counter-signature)
• Plugin permission manifests (declare what filesystem / network access the skin needs; HUD enforces)
• Static analysis bot on the registry PR (auto-flag subprocess, eval, urllib, etc.)

• Don't install skin zips from random URLs. Always go through the community browser, which only lists registry-reviewed skins.
• Don't expose the WS server publicly. Keep AGENTHUD_HOST=127.0.0.1 (the default). Setting it to 0.0.0.0 puts your agent activity on the open LAN.
• Don't run AgentHUD as root / Administrator. No reason to; plugins inherit those privileges.

Find something? Open a private security advisory on GitHub: github.com/IAMMARBIT/AgentHUD/security/advisories/new. Don't open a public issue for security bugs until they're patched.

For malicious skins in the registry: open an issue at IAMMARBIT/agenthud-skins or email the maintainer. We'll yank the entry from registry.json and take a hard look at the rest of that creator's submissions.

Nothing.

• websockets (BSD-3) — used for the local WS server
• PyQt6 — used for the overlay rendering
• Pillow — used for image processing in tests / asset generators
• urllib.request (Python stdlib) — used for registry fetch + skin downloads

No remote crypto / signing in v1. Signed skins on the roadmap.