The product has an "SOS" feature built in that can immediately make a call to the parent's own device.
But according to the NCC – which partnered with security firm Mnemonic – strangers or hackers could take control of the watch with "a few easy steps".
John Lewis later pulled the Gator watch device it was selling – distributed in the UK by a firm called TechSixtyFour. It has been removed from its website.
A spokesperson said: "As a precautionary measure we have withdrawn from sale all Gator smartwatch products while we await further advice and reassurance from the supplier."
Some of the applications used by the watches lack terms and conditions, the NCC said, adding that others were found to be sending user data back to a location in China.
It advised customers to ask for their money back. "We would refrain from buying these smartwatches until features and security standards are satisfactory," it said.
"It's very serious when products that claim to make children safer instead put them at risk because of poor security," said Finn Myrstad, a director at the NCC.
"Importers and retailers must know what they stock and sell," Myrstad added. "These watches have no place on a shop's shelf, let alone on a child's wrist."
Alex Neill, managing director of home products at consumer watchdog Which?, commented: "Although these products are marketed at making children safer, parents will be shocked if they actually put them at risk because of shoddy security.
"While there is no denying the huge benefits smart-gadgets can bring to our daily lives, safety and security should be the absolute priority.
"If that can't be guaranteed, then the products should not be sold."
The report concluded: "Any consumer looking for ways to keep their children safe and secure might want to think twice before purchasing a smartwatch as long as the faults outlined in these reports have not been fixed."
Colleen Wong, founder of Techsixtyfour, said in a statement that the company took "immediate steps to address every potential issue or vulnerability mentioned".
A statement read: "We are extremely grateful to the Norwegian Data Protection Authority and have acted quickly upon [its] findings. We will continue to test our systems and software and ensure that they are up-to-date and capable of repelling all forms of hacking and malware.
"We do want to reiterate that no breach has ever taken place and no personal information has ever been taken by third parties as far as we aware of in the UK or abroad.
"We are working diligently and tirelessly to ensure that we address all of the issues raised by the report as quickly and comprehensively as possible."