temporal-playground

Warn

Audited by Gen Agent Trust Hub on Jun 21, 2026

Risk Level: MEDIUMPROMPT_INJECTIONDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
  • [DATA_EXFILTRATION]: Insecure Local Bridge Configuration. The HTTP server in server/src/server.ts listens on port 4343 and implements Access-Control-Allow-Origin: *. This wildcard policy exposes sensitive workflow metadata (activity names, parameters, and service structures) to any web origin, enabling unauthenticated data harvesting by malicious websites if the playground is active.
  • [PROMPT_INJECTION]: Cross-Origin Prompt Injection. The /prompt endpoint in server/src/server.ts accepts arbitrary text from any origin and queues it for the AI agent. A malicious website could perform a Cross-Origin POST request to inject instructions (e.g., specifying malicious file modifications) into the agent's context via the temporal_watch tool.
  • [COMMAND_EXECUTION]: Unauthenticated Instruction Execution. The AI agent is instructed in SKILL.md to automatically apply changes to the project monorepo based on prompts received from the insecure bridge. Because the agent possesses high-privilege capabilities such as Bash and Write, the lack of origin validation on the instruction source creates a direct path for remote attackers to execute code or modify the filesystem.
  • [PROMPT_INJECTION]: Indirect Injection Surface via Project Scanning. Ingestion points: server/src/server.ts reads and parses *.workflow.ts files from the project monorepo. Boundary markers: Metadata is displayed in the UI and sent to the agent with basic headers but lacks delimiters to prevent the agent from obeying instructions embedded in the data. Capability inventory: The agent is granted Bash, Write, Edit, and Grep tools. Sanitization: The regex-based parser extracts raw strings from project files and interpolates them directly into agent prompts via ui/src/lib/spec-generator.ts, allowing an attacker to influence agent behavior through code comments or string literals.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 21, 2026, 05:10 AM
Security Audit — agent-trust-hub — temporal-playground