ClawHub

Node Red Manager

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Node-RED admin helper, but it can make immediate persistent changes to live automation systems without strong safeguards.

Install only if you intend to administer a Node-RED instance you control. Verify NODE_RED_URL before entering credentials, keep the .env file private, review flow JSON before deploy or restore, back up before destructive actions, and be especially careful with exec nodes or third-party node modules.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill advertises and relies on sensitive capabilities including environment access, file read/write, and network access, yet does not declare permissions or constraints. In a tool that manages a live Node-RED instance with admin credentials, this weakens reviewability and can allow the agent to perform privileged actions without explicit user or platform awareness.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The skill exposes arbitrary read/write access to Node-RED context stores and keys, which can include secrets, state, tokens, and control data unrelated to the manifest's stated scope. In agentic use, this broad capability increases the risk of unauthorized data access or silent workflow manipulation if invoked with untrusted instructions.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The trigger phrases "build automation", "connect devices", and "fix node-red" are broad enough to match many ordinary user requests, which can cause the skill to activate outside its intended administrative context. Because this skill can deploy flows, install nodes, and change runtime state, over-broad invocation increases the chance of unintended privileged actions on infrastructure.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation includes destructive operations such as deleting flows, restoring backups, removing nodes, and changing runtime state without any warning, confirmation, or rollback guidance. In the context of a live Node-RED admin skill, this can lead to service disruption, loss of automation logic, or accidental production outages if invoked casually or automatically.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The backup routine writes full flow definitions to disk without any warning, confirmation, or file-permission controls. Node-RED flows often embed credentials, endpoints, and operational logic, so silent persistence to an arbitrary path can create sensitive-data exposure on shared hosts or agent-run environments.

Missing User Warnings

High
Confidence
96% confidence
Finding
Restore immediately deploys flows from a local file, replacing live Node-RED configuration without any confirmation, dry-run, integrity check, or rollback guard. In this skill context, that is especially dangerous because deployed flows can alter automation behavior, disrupt operations, or introduce malicious logic into a running Node-RED instance.

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests
python-dotenv
Confidence
97% confidence
Finding
requests

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests
python-dotenv
Confidence
93% confidence
Finding
python-dotenv

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
98% confidence
Finding
requests

Known Vulnerable Dependency: python-dotenv — 1 advisory(ies): CVE-2026-28684 (python-dotenv: Symlink following in set_key allows arbitrary file overwrite via )

Low
Category
Supply Chain
Confidence
78% confidence
Finding
python-dotenv

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal