← Back to Skills Marketplace

Node Red Manager

Name: Node Red Manager
Author: 1999azzar

by azzar budiyanto · GitHub ↗ · v1.0.0

cross-platform ⚠ suspicious

873

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install node-red-manager

Description

Manage Node-RED instances via Admin API or CLI. Automate flow deployment, install nodes, and troubleshoot issues. Use when user wants to "build automation", "connect devices", or "fix node-red".

Usage Guidance

This skill appears to implement a legitimate Node-RED admin client, but there are multiple incoherences you should resolve before installing or giving it credentials: - Do not provide admin credentials until you review the code and are comfortable. The Python client expects NODE_RED_USERNAME / NODE_RED_PASSWORD and NODE_RED_URL but the registry metadata does not declare them. Use a least-privilege admin account and rotate credentials afterwards. - Verify the CLI wrapper: SKILL.md commands reference scripts/nr but the repo contains scripts/nr_api.py only. Confirm how the CLI is invoked and whether any wrapper will be installed or created automatically. - Review the included flow (assets/flows/watchdog.json). It contains an exec node that will run shell commands on the Node-RED host (currently configured to run 'uptime -p' every 5s). Because the skill can deploy flows via the Admin API, deploying unreviewed flows can execute arbitrary commands on the host. Only deploy flows you trust and review them for exec/http-request/function nodes that could be abused. - The SKILL.md references Docker compose operations and a specific service name and URL — ensure those are relevant to your environment and that Docker/docker-compose are present before running those commands. - Check for missing files the instructions mention (e.g., .env.example). If the skill claims to 'auto-handle dependencies', inspect whether it will run pip installs automatically or require manual setup. If you want to proceed: run the client in an isolated/test environment first, inspect and sanitize any flows before deployment, provide a least-privilege account, and consider network/firewall restrictions around your Node-RED instance. If you can get the maintainers to fix the manifest (declare required env vars, provide a proper CLI wrapper, remove or explain the hard-coded infra hints), the coherence and safety posture will improve.

Capability Analysis

Type: OpenClaw Skill Name: node-red-manager Version: 1.0.0 The skill is designed for legitimate Node-RED management, but the `scripts/nr_api.py` script contains path traversal vulnerabilities in its file handling functions (`backup_flows`, `restore_flows`, `deploy`, `update_flow`). These flaws allow an attacker to specify arbitrary file paths (e.g., `../../../etc/passwd` or `../../../tmp/malicious_flow.json`) when using the CLI commands. This could lead to arbitrary file reads (LFI) or, more critically, Remote Code Execution (RCE) by deploying malicious Node-RED flows containing `exec` nodes (a capability explicitly noted as an RCE risk in `references/admin-api.md`) from an attacker-controlled file path. There is no evidence of intentional malicious behavior, but the severe vulnerabilities warrant a 'suspicious' classification.

Capability Assessment

⚠ Purpose & Capability

Name/description align with the code and docs: the Python client implements Node-RED Admin API operations (flows, nodes, context, backup). However SKILL.md refers to a CLI executable 'scripts/nr' while the repository contains only scripts/nr_api.py (no CLI wrapper), and the skill metadata claims no required env vars while both SKILL.md and the Python code require NODE_RED_URL / NODE_RED_USERNAME / NODE_RED_PASSWORD. The SKILL.md also lists a specific stack location, docker service name, and an external URL (https://flow.glassgallery.my.id) that are not manifest-backed and may be irrelevant or misleading.

⚠ Instruction Scope

Runtime instructions ask users to set admin credentials and run CLI commands and docker compose operations. The skill includes an example flow (assets/flows/watchdog.json) that contains an 'exec' node configured to run 'uptime -p' on the Node-RED host and an inject node that triggers it every 5s. Because the skill can deploy flows via the Admin API, deploying arbitrary flows (or the supplied flow) can cause commands to execute on the Node-RED host — a real RCE risk if flows are malicious or modified. SKILL.md also instructs copying .env.example, but no .env.example is present in the manifest. Overall instructions extend beyond mere API calls (they assume Docker presence and specific deployment layout) without declaring those requirements.

ℹ Install Mechanism

There is no install spec (instruction-only + some code files). requirements.txt lists requests and python-dotenv, and SKILL.md claims 'script automatically handles dependencies on first run' but no installer is provided. That is common but means the environment must satisfy dependencies beforehand; there is no automated, tracked install source or external downloads to raise higher install risk.

⚠ Credentials

The code requires admin credentials (NODE_RED_USERNAME / NODE_RED_PASSWORD) and a Node-RED URL (NODE_RED_URL) to function — reasonable for an admin tool — but the skill registry metadata incorrectly lists no required environment variables. This mismatch is important: the agent will prompt or expect secrets but the registry doesn't declare them. Requesting admin credentials is proportionate to the claimed purpose, but you should only provide them for a trusted Node-RED instance and consider using a least-privilege account.

✓ Persistence & Privilege

The skill is not marked 'always' and uses the platform defaults for invocation. It does not request system-wide config paths or other skills' credentials. No evidence it modifies other skills or requests permanent elevated presence.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install node-red-manager
After installation, invoke the skill by name or use /node-red-manager
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.0

Initial release of node-red-manager – automate, deploy, and troubleshoot Node-RED via Admin API or CLI. - Manage flows: list, get, deploy, update, delete, and handle runtime state. - Backup and restore flows with simple CLI commands. - Install, enable, disable, and remove Node-RED nodes. - Inspect runtime settings and diagnostics. - Manage Node-RED context (global/flow) values. - Integrated Docker operations for restart and log viewing. - Supports both new and legacy environment variable names.

Metadata

Slug node-red-manager

Version 1.0.0

License —

All-time Installs 2

Active Installs 2

Total Versions 1

Frequently Asked Questions

What is Node Red Manager?

Manage Node-RED instances via Admin API or CLI. Automate flow deployment, install nodes, and troubleshoot issues. Use when user wants to "build automation", "connect devices", or "fix node-red". It is an AI Agent Skill for Claude Code / OpenClaw, with 873 downloads so far.

How do I install Node Red Manager?

Run "/install node-red-manager" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Node Red Manager free?

Yes, Node Red Manager is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Node Red Manager support?

Node Red Manager is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Node Red Manager?

It is built and maintained by azzar budiyanto (@1999azzar); the current version is v1.0.0.

More Skills