I noticed that Übersicht listens for commands sent to 127.0.0.1:41416/run and runs whatever shell commands are sent there. I am not very knowledgeable about computer security, but this seems like a security risk to me. Any program on my computer (including the browser) basically now has shell access.

As an example, I tried this command in the terminal:

curl -H "Origin: http://127.0.0.1:41416" -H "Host: 127.0.0.1:41416" -X POST 127.0.0.1:41416/run/ -d 'echo I have shell access'

and it works, which is worrying to me.

Can Übersicht function without having this command server? Or is this in fact not a security risk at all? If so, could you please explain why?

Thanks!

including the browser

This part is not accurate. Try running this in your browser, even from http://127.0.0.1:41416:

fetch('http://127.0.0.1:41416/run/', {
    method: 'POST',
    headers: {
        'Origin': 'http://127.0.0.1:41416',
        'Host': '127.0.0.1:41416',
        'Content-Type': 'application/x-www-form-urlencoded'
    },
    body: 'echo I have shell access'
}); 

Unless you are exposing port 41416 to the public, which you should definitely not have a reason to do, the only way for this server to be called is from a process running on your machine. If you have a malicious process running on your machine with network access, it probably already has what it needs to run arbitrary commands.

Maybe I'm missing something, but i don't think this is a big deal.