Glyphward

ICP-by-vertical · E-commerce AI

Prompt-injection scanner for e-commerce AI

Visual search, AI shopping assistants, size-match tools, review analysis with photo upload, and marketplace seller listings with AI-generated descriptions — every e-commerce AI feature that accepts a shopper-uploaded image passes untrusted pixel data to a vision LLM. A FigStep-class adversarial text overlay embedded in a product photo at low contrast can instruct the shopping assistant to recommend a competitor's product, generate a false price match, apply an unauthorised discount code, or return an inaccurate product description. Unlike SQL injection or XSS — which developers test for as a matter of course — multimodal prompt injection has no analogue in the standard e-commerce security checklist, and no text-only input validator detects it. Glyphward closes the gap with a pixel-level scan before each vision LLM call.

TL;DR

For any e-commerce AI feature where shoppers upload images: call /v1/scan before the vision LLM call. Score ≥ 70 → block and return a generic error. Score < 70 → pass to the model. The scan adds under 200 ms. Shopper-facing latency impact is typically less than 3% of total response time. Free tier — 10 scans/day, no card.

Multimodal PI attack surfaces in e-commerce AI

Visual search ("shop the look" / find-by-image). Visual search features ask shoppers to upload a photo of an item they want to find — a dress they saw on a friend, a piece of furniture from a design magazine. The image is passed to a vision-language model that extracts visual attributes and queries the product catalogue. A shopper who crafts an image with an adversarial text overlay — imperceptible to the human eye but readable by the LLM's vision encoder — can inject instructions into the search query: redirect results to a specific product, suppress competitor items, or trigger a price-comparison query to an external service. The attack is repeatable: once crafted, the same adversarial image produces consistent results against any deployment using the target model.

AI shopping assistants with image upload. Chatbots that let shoppers upload a photo and ask questions ("does this sofa match my floor?", "what's the right size based on these measurements?", "can I see this in blue?") are among the fastest-growing e-commerce AI features. The shopping assistant receives the shopper's image as a vision content block and processes it alongside the text question. A typographic prompt injection payload in the uploaded image can redirect the assistant's response: override the product recommendation, insert a promotional claim for a non-existent offer, or cause the assistant to output a harmful or offensive message under the brand's voice.

Marketplace seller product listing AI. Marketplace platforms that use vision AI to auto-generate product descriptions from seller-uploaded photos are a high-value target for adversarial sellers. A seller who embeds an adversarial instruction in a product photo can manipulate the AI-generated description: inflate specifications, add false certification claims, or inject promotional text for an unrelated product into the auto-generated listing. At scale, a malicious seller with automated adversarial image generation can systematically manipulate AI-generated listing content across thousands of SKUs. See indirect prompt injection via image for the supply-chain variant of this attack.

Return and review photo processing. E-commerce platforms that use vision AI to process customer-submitted return photos (for automated return authorisation), review photos (for authenticity verification), or product condition assessments (for resale pricing) receive customer-controlled images. A customer who submits a crafted return photo can influence the automated return decision. A fraudulent reviewer can inject instructions into a review photo to alter the AI's authenticity classification. These are direct financial incentive attacks — the adversary gains money or reputation from the manipulation.

AR/virtual try-on with shopper selfies. Virtual try-on features ask shoppers to upload a selfie or enable the camera, then use a vision model to overlay product items (clothing, glasses, jewellery) in the photo. The selfie is a shopper-controlled input. A shopper who crafts an adversarial selfie — with a payload in the background of the image, for example — can potentially influence the model's downstream processing steps if the try-on pipeline passes the full image (not just the cropped product region) to a vision LLM for any analysis step (style recommendation, size fitting, companion product suggestion).

Node.js integration for visual search and shopping assistants

Most e-commerce AI stacks (Shopify, BigCommerce, custom Next.js storefronts) have a Node.js or TypeScript API layer. Insert the scan before any vision LLM call:

import Anthropic from "@anthropic-ai/sdk";

const GLYPHWARD_API_KEY = process.env.GLYPHWARD_API_KEY!;
const SCAN_THRESHOLD = 70;

async function scanImageForPI(imageBase64: string, sessionId: string): Promise<void> {
  const resp = await fetch("https://glyphward.com/v1/scan", {
    method: "POST",
    headers: {
      Authorization: `Bearer ${GLYPHWARD_API_KEY}`,
      "Content-Type": "application/json",
    },
    body: JSON.stringify({
      image: imageBase64,
      source: "ecommerce_visual_search",
      metadata: { session_id: sessionId },
    }),
  });

  if (!resp.ok) {
    // Fail closed: if scan service is unreachable, block the request
    throw new Error(`PI scan unavailable: ${resp.status}`);
  }

  const { score, scan_id } = await resp.json();

  // Log for audit / analytics
  console.log(JSON.stringify({ event: "pi_scan", scan_id, score, session_id: sessionId }));

  if (score >= SCAN_THRESHOLD) {
    throw new PIDetectedError(`Adversarial image detected. scan_id=${scan_id}`);
  }
}

export class PIDetectedError extends Error {
  constructor(message: string) {
    super(message);
    this.name = "PIDetectedError";
  }
}

// In your visual search handler:
export async function handleVisualSearch(
  imageBase64: string,
  userQuery: string,
  sessionId: string
) {
  await scanImageForPI(imageBase64, sessionId); // throws PIDetectedError if blocked

  const client = new Anthropic();
  const message = await client.messages.create({
    model: "claude-sonnet-4-6",
    max_tokens: 1024,
    messages: [
      {
        role: "user",
        content: [
          {
            type: "image",
            source: { type: "base64", media_type: "image/jpeg", data: imageBase64 },
          },
          { type: "text", text: userQuery },
        ],
      },
    ],
  });

  return message.content;
}

Catch PIDetectedError in your route handler and return a 400 with a generic "Unable to process this image" message — do not reveal the scan threshold or the score to the user.

Get early access

Seller marketplace listing scanning

For marketplaces that auto-generate listings from seller-uploaded product photos, scan at upload time rather than at query time. This way the adversarial image is blocked before it enters the product catalogue, not just when a shopper query triggers the vision model:

async function processSellerProductUpload(
  imageBuffer: Buffer,
  sellerId: string,
  listingId: string
): Promise<{ clean: boolean; scanId: string; score: number }> {
  const imageBase64 = imageBuffer.toString("base64");

  const resp = await fetch("https://glyphward.com/v1/scan", {
    method: "POST",
    headers: { Authorization: `Bearer ${GLYPHWARD_API_KEY}`, "Content-Type": "application/json" },
    body: JSON.stringify({
      image: imageBase64,
      source: "marketplace_listing_upload",
      metadata: { seller_id: sellerId, listing_id: listingId },
    }),
  });

  const { score, scan_id } = await resp.json();

  if (score >= SCAN_THRESHOLD) {
    // Flag seller account for review, do not publish listing
    await flagSellerForReview(sellerId, scan_id, score);
    return { clean: false, scanId: scan_id, score };
  }

  return { clean: true, scanId: scan_id, score };
}

Scanning at upload time protects all downstream consumers of the product catalogue — visual search, AI assistants, recommendation engines — without requiring scan logic in each consumer.

Coverage matrix

Defence layerVisual search uploadShopping assistant imageSeller product photo (listing AI)Return / review photo
Input sanitisation (type/size/format check)Type check onlyType check onlyType check onlyType check only
Text-only scanner (Lakera, LLM Guard)No — image bytes ignoredNoNoNo
OpenAI / Anthropic content policyHarm categories only (not PI)Harm categories onlyHarm categories onlyHarm categories only
Glyphward pixel-level scanYesYesYes — at upload timeYes

Related questions

Our visual search handles thousands of image uploads per hour — how does Glyphward scale?

The Pro tier supports 100,000 scans per month (roughly 140 scans per hour continuously). For high-volume visual search at thousands of uploads per hour, use the Team tier (1,000,000 scans per month) or contact Glyphward for a volume agreement. For burst patterns — flash sale traffic, holiday peaks — the batch scan endpoint processes multiple images in a single API call with a shared connection, reducing per-image overhead.

Does scanning increase our product upload processing time for sellers?

Scan latency is under 200 ms. For a typical product image upload flow where image resizing, CDN upload, and metadata extraction take 500–2000 ms, the PI scan is a minor addition. For seller upload pipelines with strict SLA requirements, submit the scan asynchronously alongside (not before) the CDN upload, then quarantine the image until the scan result arrives. If the scan returns clean, release the image to the listing pipeline. This way scan latency is hidden within the existing upload processing time.

We use a third-party visual search provider (e.g. Google Vision API, Amazon Rekognition) — do we still need to scan?

Google Vision API and Amazon Rekognition are image classification and feature-detection services, not LLM-based vision models. They do not process natural-language instructions embedded in images — they return structured labels, objects, and similarity scores. Multimodal PI attacks (FigStep, AgentTypo, typographic PI) target vision-language models (GPT-4o, Claude 3, Gemini) that read both the visual content and any text rendered into the image. If your pipeline uses a pure CV API (not a VLM) for search and does not pass the image to an LLM, you are not directly exposed to multimodal PI. However, if you use a VLM anywhere downstream — for description generation, recommendation explanation, or chatbot response — those LLM-connected nodes are still exposed.

What about AI-generated product images — can they contain PI payloads?

Adversarially crafted AI-generated images can contain PI payloads, though this requires the attacker to have significant influence over the generation pipeline (e.g., a rogue seller using a fine-tuned model specifically designed to embed adversarial text overlays in generated images). This is a realistic threat for high-scale marketplaces where sellers use automated image generation. Scanning at upload time — regardless of whether the image is photographed or AI-generated — is the consistent mitigation. The scan is image-content-agnostic: it scores the pixel stream, not the provenance.

Further reading