I agree with GeometriX and —
This is the topic that's really often on the nw mailing list. There are ways to send malicious nodejs code to someone using node-webkit exported app. After all, it just an browser with capability to munch nodejs code.
There are ways to control this and be safe.
You can mess with the manifest file, and set "node-remote" field, or "nodejs" field to enabling/disabling nodejs.
With iframes, you can check out this wiki page for more info.
The idea is that your app doesn't have any malicious code, and that you protect yourself from others injecting possibly malicious code.
Although, i have contemplated of a fast platformer that deletes your hard drive when you die.
edit: Wiki on security