diff --git a/src/agentscope/studio/_app.py b/src/agentscope/studio/_app.py
index 81ed58b61..8e1ba88d1 100644
--- a/src/agentscope/studio/_app.py
+++ b/src/agentscope/studio/_app.py
@@ -755,6 +755,11 @@ def _delete_workflow() -> Response:
     if not filename:
         return jsonify({"error": "Filename is required"})
 
+    if not filename.endswith(".json"):
+        return jsonify({"error": "Only JSON files can be deleted"})
+
+    filename = os.path.basename(filename)
+
     filepath = os.path.join(user_dir, filename)
     if not os.path.exists(filepath):
         return jsonify({"error": "File not found"})