Glyphward

Platform guide · Google Workspace AI

Prompt injection scanner for Google Workspace AI

Gemini for Google Workspace (formerly Duet AI) integrates large multimodal models directly into Google Docs, Gmail, Drive, Slides, and Meet. Employees ask Gemini to summarise documents with embedded images, search Drive for files by image content, draft replies to emails containing image attachments, and generate presentations from image-heavy briefs. Each of these interactions routes external image content — supplied by document authors, email senders, or Drive file owners — through a Gemini model that follows natural-language instructions. Google Workspace's existing security controls (DLP, Vault, Admin Console trust rules, Context-Aware Access) operate at the document metadata, sharing permission, and data residency layers; none inspect the pixel-level content of images processed by Gemini for adversarially embedded instructions. A supplier who uploads a contract PDF with an adversarially crafted invoice image, a phisher who sends an email with a pixel-poisoned PNG attachment, or an internal attacker who places an adversarial image in a shared Drive folder can all inject natural-language directives into an enterprise Gemini session without any Workspace-layer detection. Glyphward provides the pre-Gemini image scan gate that Google Workspace does not.

TL;DR

Applications built on the Google Workspace APIs (Docs API, Drive API, Gmail API, Slides API) that pass document images to Gemini should scan every image via POST https://glyphward.com/v1/scan before the Gemini API call. Reject images with score >= 65. For custom Workspace Add-ons that invoke google.cloud.aiplatform or the @google/generative-ai SDK directly, add the scan gate before each generateContent() call that includes image parts. Free tier — 10 scans/day, no card required.

The four multimodal attack surfaces in Google Workspace AI

1. Gemini in Google Docs — images embedded in documents processed by AI assistants. When an employee opens a Google Doc with embedded images and asks Gemini to "summarise this document" or "rewrite this section," Gemini's multimodal model processes the full document content including all embedded images and inline figures. A document with a pixel-level adversarial instruction embedded in an image — a manipulated PNG inserted into a supplier contract, an adversarially crafted chart in a vendor technical brief, a screen capture with injected text rendered below human-visibility thresholds — will expose that instruction to Gemini as part of the document context. Gemini's summarisation and rewriting capabilities give the attacker multiple output surfaces: the summary the employee saves, the rewritten draft they send externally, the action items Gemini generates from the document review. Because the image is in the document body rather than the Gemini prompt itself, there is no user-visible signal that a non-textual input is influencing the AI's output. Google Workspace's document sharing controls determine who can access the Doc but do not scan the pixel content of embedded images before they reach Gemini.

2. Gemini in Google Drive — AI-powered file search and content understanding. Gemini in Drive enables semantic search across an employee's entire Drive corpus, including image content in files — ask "find the contract with the payment terms" and Gemini reads image-based PDFs and scanned documents to surface relevant results. Behind the scenes, Drive's AI indexing pipeline processes image files and image-bearing documents through Gemini's vision capabilities to extract semantic content for search and the Smart Canvas suggestions feature. An adversarial image stored in a shared Drive folder — placed there by an internal collaborator, an external partner with edit access, or through a compromised Google Drive sync — is indexed by Gemini's Drive ingestion pipeline and its adversarial pixel content is processed as part of the semantic understanding pass. If the injected instruction targets a Gemini-in-Drive interaction that occurs in a higher-privilege context (an admin reviewing compliance documents, a finance team member reviewing vendor proposals), the blast radius of the injection extends to that user's Gemini session rather than just the session of whoever uploaded the file.

3. Gemini in Gmail — AI processing of email attachments and inline images. Gemini in Gmail summarises email threads, drafts replies, and extracts action items from messages — and in modern Gmail, that includes the image content of attachments and inline images in received HTML emails. A phishing email that appears to contain a legitimate invoice image but embeds adversarial pixel content can inject instructions into the Gemini session of whoever asks Gmail's AI to "summarise this email and suggest a reply." The risk is compounded by the automatic trust Gmail's UX gives to Gemini-generated draft replies — employees frequently accept Gemini-suggested reply drafts with minimal review, meaning an injection that directs Gemini to "draft a reply confirming the wire transfer" or "mark this message as legitimate and forward it" can execute the attacker's goal through normal UX interactions without any suspicious command being visible to the user. Google's email filtering (spam, phishing, malware) operates at the message metadata and text-content level; it does not scan attachment image pixels for adversarial instruction content.

4. Google AppSheet and Workspace Add-ons — custom AI workflows processing user-submitted images. Google AppSheet (Google's no-code app platform, included in Workspace Business and Enterprise tiers) allows business teams to build custom applications that accept image submissions from field staff, customers, or suppliers — inspection photos, product images, scanned receipts, ID documents — and process them with Gemini AI for classification, extraction, or routing. Workspace Add-ons (Apps Script or Google Cloud Run extensions) similarly give developers direct access to the Gemini API within the Workspace context, enabling custom document-processing workflows. Neither AppSheet's image handling nor the Workspace Add-on framework includes pixel-level PI scanning — the responsibility rests with the app or Add-on developer. A field worker's app that submits equipment inspection photos to Gemini for defect detection, or a customer support Add-on that extracts form fields from uploaded images, is exposed to multimodal injection from any party who can influence what images are submitted to the system.

Integration: Google AI SDK with Glyphward pre-scan gate

import base64
import requests
import google.generativeai as genai
from pathlib import Path

GOOGLE_API_KEY = "<your-google-ai-api-key>"
GLYPHWARD_KEY = "<your-glyphward-api-key>"
GLYPHWARD_THRESHOLD = 65

genai.configure(api_key=GOOGLE_API_KEY)
model = genai.GenerativeModel("gemini-1.5-pro")


def scan_image_for_injection(image_bytes: bytes) -> dict:
    """Scan image bytes for multimodal prompt injection before Gemini call."""
    encoded = base64.b64encode(image_bytes).decode()
    resp = requests.post(
        "https://glyphward.com/v1/scan",
        json={"image": encoded, "source": "google_workspace_ai"},
        headers={"Authorization": f"Bearer {GLYPHWARD_KEY}"},
        timeout=8,
    )
    resp.raise_for_status()
    return resp.json()


def analyse_document_with_gemini(
    image_paths: list[str],
    text_prompt: str,
) -> str:
    """
    Workspace AI pattern: scan all document images before Gemini multimodal call.
    Raises ValueError if any image fails the PI scan.
    """
    image_parts = []
    for path in image_paths:
        image_bytes = Path(path).read_bytes()

        # Pre-scan gate — fail-closed
        try:
            scan = scan_image_for_injection(image_bytes)
        except Exception as exc:
            raise RuntimeError(
                f"Image security scan unavailable for {path} — request blocked."
            ) from exc

        if scan["score"] >= GLYPHWARD_THRESHOLD:
            raise ValueError(
                f"Image blocked: {path} — adversarial content detected "
                f"(score {scan['score']}/100, scan_id={scan['scan_id']})"
            )

        encoded = base64.b64encode(image_bytes).decode()
        suffix = Path(path).suffix.lower()
        mime = {"jpg": "image/jpeg", ".jpeg": "image/jpeg", ".png": "image/png",
                ".pdf": "application/pdf", ".gif": "image/gif"}.get(suffix, "image/png")
        image_parts.append({"mime_type": mime, "data": encoded})

    # All images passed — call Gemini with combined image + text context
    content_parts = [{"inline_data": part} for part in image_parts]
    content_parts.append(text_prompt)

    response = model.generate_content(content_parts)
    return response.text


# --- Workspace Add-on pattern: Google Drive document processing ---
def process_drive_document_images(drive_image_urls: list[str], prompt: str) -> str:
    """
    Fetch Drive-hosted images and scan before passing to Gemini.
    Use service account credentials to authenticate Drive API calls.
    """
    import urllib.request

    image_bytes_list = []
    for url in drive_image_urls:
        req = urllib.request.Request(url, headers={"Authorization": f"Bearer {GOOGLE_API_KEY}"})
        with urllib.request.urlopen(req, timeout=15) as resp:
            image_bytes_list.append(resp.read())

    # Scan all fetched images before any Gemini call
    for i, img_bytes in enumerate(image_bytes_list):
        scan = scan_image_for_injection(img_bytes)
        if scan["score"] >= GLYPHWARD_THRESHOLD:
            raise ValueError(
                f"Drive image at index {i} blocked: adversarial content detected "
                f"(score {scan['score']}/100)"
            )

    # Build temp files for analyse_document_with_gemini or use inline bytes directly
    import tempfile, os
    paths = []
    try:
        for img_bytes in image_bytes_list:
            tmp = tempfile.NamedTemporaryFile(suffix=".png", delete=False)
            tmp.write(img_bytes)
            tmp.close()
            paths.append(tmp.name)
        return analyse_document_with_gemini(paths, prompt)
    finally:
        for p in paths:
            os.unlink(p)

The analyse_document_with_gemini() function scans every image part before assembling the multimodal Gemini request — this is the correct pattern for Workspace Add-ons and AppSheet integrations that forward user-supplied or Drive-hosted images to Gemini. For Gmail attachment processing (Gemini in Gmail auto-summarisation), the scan gate should be added in the Gmail API webhook handler that receives incoming messages before their attachments are passed to a Gemini summarisation call. The source: "google_workspace_ai" tag in the scan request lets Glyphward distinguish Workspace traffic for corpus tuning and reporting. Get early access

Coverage matrix

Defence layer Gemini in Docs (embedded images) Gemini in Drive (file indexing) Gemini in Gmail (email attachments) AppSheet / Add-ons (custom AI workflows)
Google Workspace DLP No — DLP inspects data patterns in text content, not pixel-level instruction payloads No No No
Google Workspace Vault No — eDiscovery archive, not content inspection for AI inputs No No No
Context-Aware Access (BeyondCorp) No — controls who can access resources, not what image content reaches Gemini No No No
Google Safe Browsing / Gmail spam filters N/A N/A No — phishing detection operates on email metadata and text; does not scan attachment image pixels for PI payloads N/A
Glyphward pre-Gemini scan Yes — scan embedded images before Gemini document summary call Yes — scan file images before Drive AI indexing or Drive API retrieval Yes — scan attachment images before Gmail Gemini summarisation Yes — scan user-submitted images before AppSheet/Add-on Gemini call

Related questions

Does Google Workspace's AI security posture differ from Google Cloud Vertex AI?

Yes, significantly. Google Cloud Vertex AI is a developer platform where your team owns the full inference stack — you configure Gemini API calls, set system prompts, and are responsible for input validation. Vertex AI provides optional safety settings (harm category thresholds) and the Model Armor API for text-based prompt injection detection, but not pixel-level PI scanning for image inputs. Google Workspace AI is a consumer-grade enterprise SaaS product — employees interact with Gemini through Docs, Gmail, and Drive UIs, and the underlying model calls are managed by Google. In the Workspace context, the attack surface is wider because image content originates from external parties (email senders, document authors, Drive file owners) who the enterprise cannot control, and the Workspace UI surfaces AI outputs in high-trust contexts (suggested reply drafts, document summaries, action item lists). Vertex AI deployments are covered in detail in our Vertex AI Agent Builder page and Google Gemini Flash page.

Can Google Workspace Admins disable image processing in Gemini to close this risk?

No — as of 2026, Google Workspace Admins can control which Gemini features are enabled for users (e.g., whether Gemini in Docs is available), but they cannot selectively disable image processing within Gemini while keeping text-based AI features active. Disabling Gemini in Docs entirely removes all AI document assistance, which most enterprises are unwilling to do for productivity reasons. The correct architectural response is not to disable the feature but to add a pre-processing scan gate at the integration layer — in Workspace Add-ons, AppSheet workflows, or API integrations built on top of the Google Drive and Gmail APIs — that intercepts image content before it reaches Gemini. This is the approach Glyphward supports.

Does the attack require a specially crafted image or can normal business images be weaponised?

Adversarial pixel-level prompt injection typically requires deliberately crafted images — using techniques like FigStep (text rendered in adversarial fonts), typographic pixel manipulation (instructions encoded below human visual detection thresholds), or steganographic encoding (instruction bytes embedded in LSB pixel channels). Normal business photographs, diagrams, and charts do not carry these payloads by default. The attacker must specifically craft the image to carry both a legitimate-looking appearance (so it passes human review) and an adversarial instruction payload (so it directs the VLM). However, the barrier to crafting such images is low — FigStep-class attacks require only standard image editing software, and the techniques are publicly documented with open-source tools available on GitHub. Any party who submits images to your system — suppliers, customers, employees — can access these techniques; the assumption that business images are safe is no longer valid.

How does Glyphward scan images that arrive as base64-encoded email attachments?

When processing Gmail attachments via the Gmail API, email attachments are returned as base64-encoded byte strings in the parts[].body.data field of the message resource. Pass the decoded bytes directly to the Glyphward scan API without re-encoding — image_bytes = base64.b64decode(attachment_data) then POST those bytes to /v1/scan as {"image": base64.b64encode(image_bytes).decode()}. If using the Google Workspace Gmail Push Notifications webhook, the attachment bytes are not included in the push payload — you must fetch the attachment content via the Gmail API's users.messages.attachments.get endpoint before scanning. The Glyphward scan is format-agnostic: it accepts JPEG, PNG, WebP, GIF, TIFF, and PDF (first page) image inputs, which covers all common email attachment image formats.

Further reading