temporal-playground
Warn
Audited by Gen Agent Trust Hub on Jun 21, 2026
Risk Level: MEDIUMPROMPT_INJECTIONDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
- [DATA_EXFILTRATION]: Insecure Local Bridge Configuration. The HTTP server in
server/src/server.tslistens on port 4343 and implementsAccess-Control-Allow-Origin: *. This wildcard policy exposes sensitive workflow metadata (activity names, parameters, and service structures) to any web origin, enabling unauthenticated data harvesting by malicious websites if the playground is active. - [PROMPT_INJECTION]: Cross-Origin Prompt Injection. The
/promptendpoint inserver/src/server.tsaccepts arbitrary text from any origin and queues it for the AI agent. A malicious website could perform a Cross-Origin POST request to inject instructions (e.g., specifying malicious file modifications) into the agent's context via thetemporal_watchtool. - [COMMAND_EXECUTION]: Unauthenticated Instruction Execution. The AI agent is instructed in
SKILL.mdto automatically apply changes to the project monorepo based on prompts received from the insecure bridge. Because the agent possesses high-privilege capabilities such asBashandWrite, the lack of origin validation on the instruction source creates a direct path for remote attackers to execute code or modify the filesystem. - [PROMPT_INJECTION]: Indirect Injection Surface via Project Scanning. Ingestion points:
server/src/server.tsreads and parses*.workflow.tsfiles from the project monorepo. Boundary markers: Metadata is displayed in the UI and sent to the agent with basic headers but lacks delimiters to prevent the agent from obeying instructions embedded in the data. Capability inventory: The agent is grantedBash,Write,Edit, andGreptools. Sanitization: The regex-based parser extracts raw strings from project files and interpolates them directly into agent prompts viaui/src/lib/spec-generator.ts, allowing an attacker to influence agent behavior through code comments or string literals.
Audit Metadata