I assume it binds to the loop back interface so that other hosts can't send messages. Regardless UDP interface does seem odd for this sort of tool.

Edit: nope. It listens on all interfaces. At least an attack can only maliciously change your menubar colour.

Well, assuming the syntax for calling local files isn't breakable by using "../square" to open executables with JPEG extensions too... ;)

I just started reading the code. I don't write Objective-C, but it looks to me as though it will have some vulnerabilities with how it opens images for the dots (but maybe its some sort of resource opening thing that doesn't have the usual path escape vulnerabilities).

I think you shouldn’t open random UDP ports to outside world in the first place