Back to skill
Skillv1.0.0
VirusTotal security
Node Red Manager · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewApr 30, 2026, 3:51 AM
- Hash
- d87939d3fdc51e540c18b009ff3a86f267d30978eecd06638d859b18273dfee5
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: node-red-manager Version: 1.0.0 The skill is designed for legitimate Node-RED management, but the `scripts/nr_api.py` script contains path traversal vulnerabilities in its file handling functions (`backup_flows`, `restore_flows`, `deploy`, `update_flow`). These flaws allow an attacker to specify arbitrary file paths (e.g., `../../../etc/passwd` or `../../../tmp/malicious_flow.json`) when using the CLI commands. This could lead to arbitrary file reads (LFI) or, more critically, Remote Code Execution (RCE) by deploying malicious Node-RED flows containing `exec` nodes (a capability explicitly noted as an RCE risk in `references/admin-api.md`) from an attacker-controlled file path. There is no evidence of intentional malicious behavior, but the severe vulnerabilities warrant a 'suspicious' classification.
- External report
- View on VirusTotal