On the safety of installing contributed nodes

Simply put, are there any security concerns with using Manage Palette to install node-red-contrib-blah-blah?

Exactly the same as installing anything from npmjs.org (buyer beware)

The Node-RED project does not (currently*) do any vetting of what is submitted and presented by the catalogue.

*This is not an announcement of anything that is coming, but is a concept that has been discussed in the past, but it would likely have to be a paid for service as it would be time consuming and especially if any sort of liability was attached.

But if you find anything that you think is a risk/problem do report it as things can be blocked/removed if needed.

The Node-RED project does not do any vetting of what is submitted and presented by the catalogue

Hmm that's what I thought.

On my Raspberry, Node-red runs as the user pi, which has sudo access without a password.
So I presume any node installed effectively has root privileges.
I know passwordless sudo is of itself a security issue.

What's the extent of any risk? Does the installation process run code provided with a node, or only when you include it in a flow?

Presumably if a contributor's GitHub account was compromised, malicious code could be inserted in a previously safe node?

Again same as with npm. It is possible for packages to include install hook scripts (scripts | npm Docs) so just installing can be enough to compromise a machine.

The problem is more the npm account than github (though github owns npmjs.org thes days) which is why they are basically forcing 2fa on everybody slowly at the moment. But if they have automation setup then compromising the GH account could be enough.

I've been curious about this also. Is there a way for the developer to sign the flow/library? I wonder how you could handle this with a team?

Sorry thinking out loud.