Good question. Parameters are JSON serializable payloads and we have mechanisms in place that limit:
• the payload size,
• what this payload can be.
I’m no security expert, but I know that Cloud has several mechanisms in place to prevent such scenarios, the first being Auth and RBAC allowing to restrict who can register flows to the API in the first place. If you have more security-related topics, you can send those to
security@prefect.io and this way someone who knows more than me will get back to you to discuss any security concerns.