With respect to creating a remote script instance? What script? The attacker would need to find a way to upload an arbitrary script to the server, then instantiate it remotely.
He wouldn’t need to upload it to the server if he is the man in the middle. You could send the client a required resource via Scene::AddRequiredPackage() and then instanciate it.
It would be entirely possible to write a malicious urho application that sits in the middle of a server/client connection and “filters” the scene.
The core issue is: The client has no way of verifying whether the network packets it’s receiving are actually from the server.
If the server and client were to cryptographically sign every network packet using previously exchanged public keys, I think it would mitigate all of my concerns.
I see in the PR @dertom linked, SLikeNet libcat does what I need.