You called?
You probably aren't introducing more issues as long as the terminal runs as the same user as Node-RED which I assume it does.
On the other hand, you aren't helping security either
At the very least, I would include plenty of info in the docs and the help panel to make people aware of the risks. Both about the risks of not using https and the risks of not adding Node-RED admin login.
I would avoid the problems of having your own login/user-change though, at least for now. That could be a later enhancement once you've got the basics nailed down.
And I wouldn't worry too much about http vs https since some of us already bang on about that enough and you will have the info in your help/docs.
Yes, if you haven't already, sign up for a service to check your package and its dependencies so that you are notified when vulnerabilities are found. Your GitHub repo can do some of that but I'd look for a separate service as well. You will want to be on top of that.
Great addition to Node-RED by the way, nice one.