Glyphward

ICP-by-platform · Make (Integromat)

Prompt-injection scanner for Make automation

Make (formerly Integromat) connects more than 1,800 apps and executes millions of automation scenarios every day. When a Make scenario includes an OpenAI, Anthropic Claude, or Google Gemini module and that module receives an image or document from an upstream trigger — a Gmail attachment, an Airtable image field, a Google Drive file, or a Typeform upload — the image bytes reach the vision model without any content inspection. A FigStep-class adversarial payload embedded in a document can redirect the AI module's output, alter downstream routing decisions, or extract data from prior scenario bundles. Make provides no built-in multimodal content scanning. Inserting an HTTP module that calls Glyphward's /v1/scan endpoint before the AI module closes this gap without requiring custom code or external infrastructure.

TL;DR

In any Make scenario where an AI module receives image or document data from an upstream trigger: add an HTTP module before the AI module, POST the image to https://glyphward.com/v1/scan, then add a Router with a Filter that only continues to the AI module if the returned score < 70. Scan latency is under 200 ms — well within Make's module timeout. Free tier — 10 scans/day, no card required.

Where multimodal PI enters Make scenarios

Gmail or Outlook trigger → OpenAI Vision module for document extraction. A scenario triggered by a new email with an attachment that forwards the attachment to an OpenAI Create Completion or Message module is among the most common Make + AI patterns. Invoice images, receipt scans, and signed agreements are all untrusted external inputs. An attacker who can email your trigger address can craft an attachment carrying adversarial pixel-level instructions. See PDF prompt-injection detection for the case where the payload is embedded in a PDF page.

Typeform / Jotform image upload trigger. Web forms that accept image uploads — customer onboarding, support ticket intake, product submission — route those images downstream to classification or extraction AI modules. The submitter is an external, untrusted user. A crafted form submission is a straightforward attack vector: the attacker uploads a manipulated image through your own public form.

Google Drive / Dropbox watch trigger with AI summarisation. Scenarios that trigger on new files in a shared Drive folder and forward them to an AI module for summarisation or tagging have a supply-chain attack surface. Anyone with write access to the watched folder can place an adversarial file that processes silently, without triggering a notification to the scenario owner.

Airtable or Notion attachment field. Airtable records with image attachments synced to Make via a Watch Records trigger, then processed by an AI module for captioning or classification, pass attacker-supplied images without any inspection. This is common in content operations teams that use AI to label incoming media assets.

Webhook trigger with base64 image payload. Custom webhook triggers that receive base64-encoded image data from external services and forward it to an AI module carry the same exposure as any direct API integration. The indirect prompt injection via image pattern applies when the image URL is fetched from a third-party host rather than uploaded directly.

Adding a Glyphward scan module to a Make scenario

Make's HTTP module can call any REST API. The scan gate requires three additions: an HTTP module, a Router, and a Filter on the Router's path to the AI module.

Step 1: Add an HTTP > Make a request module immediately after the trigger (or the module that produces the image binary) and before the AI module.

Configure the HTTP module with:

URL: https://glyphward.com/v1/scan
Method: POST
Headers:
  Authorization: Bearer [your Glyphward API key]
  Content-Type: application/json
Body type: Raw
Content type: JSON (application/json)
Request content:
  {
    "image": "{{toBase64(triggerImageBinary)}}",
    "source": "make_scenario"
  }

Step 2: Add a Router module after the HTTP module. Create two paths: one that continues to the AI module and one that handles the rejected case (log to a Data Store, send a Slack alert, or simply terminate the bundle).

Step 3: Add a Filter on the path leading to the AI module.

Label: Only if scan passed
Condition:
  HTTP module > Data > score   Less than   70

Bundles where the score is 70 or above take the alternative Router path. No image data reaches the AI module. The Router's filter log in Make's scenario history records the blocked bundle for audit purposes.

Step 4: Store your API key in Make's Connection or Custom App config. Do not paste the raw API key into the HTTP module header field directly, since Make's scenario history logs request details. Use Make's built-in Keychain connection or pass the key as a constant from a separate "Set Variable" module that does not appear in public scenario history.

Get early access

Handling multiple images per bundle with the Iterator module

If your scenario processes more than one image per trigger event — a Typeform submission with multiple file upload fields, or a Google Drive folder with a batch of newly added files — use Make's Iterator module to loop over the image collection and scan each image individually. Add the HTTP + Router + Filter group inside the loop. Each image that passes the filter continues to the AI module; images that are flagged are routed to the rejection path. Use the Aggregator module after the loop to collect only the scan-passed images for downstream processing.

Coverage matrix

Defence layerGmail attachmentTypeform uploadDrive new fileWebhook image
Make built-in validationFile type check onlyFile size limit onlyNoNo
OpenAI content policyHarm categories only (not PI)Harm categories onlyHarm categories onlyHarm categories only
Text-only scanner (LLM Guard, Lakera)No — image bytes ignoredNoNoNo
Glyphward HTTP moduleYes — pixel-level scanYesYesYes

Related questions

Does scanning add to Make's operation count?

Yes — each HTTP module execution consumes one Make operation. On Make's free tier (1,000 operations/month), consider triggering the scan only when the MIME type of the upstream file is confirmed as an image or PDF using a Filter before the HTTP module. On Core and higher plans, the additional operation per scenario run is negligible overhead relative to the risk of an undetected PI payload in a production automation.

What happens if Glyphward returns a non-200 response?

By default, Make's HTTP module treats non-2xx responses as errors and stops the scenario bundle (fail-closed behaviour). You can configure an Error Handler on the HTTP module to route timed-out or errored scan requests to a separate path — for example, a Slack notification and a Data Store log entry — rather than allowing the bundle to proceed to the AI module by default. Always fail-closed: if the scanner is unreachable, the image should not reach the LLM.

Can Make's AI module inspect image content itself?

Make's native OpenAI and Anthropic modules pass image bytes directly to the model with your system prompt. The model may decline to follow injected instructions if your system prompt is strong, but model-level instruction following is not a reliable defence — it is a probabilistic output that varies by model version and payload. A dedicated scanner operating on the image before the LLM call is the only deterministic gate.

Does this work with Make's new AI-native features (Agentic scenarios)?

Make's agentic and AI-native scenario types (where the AI module drives subsequent module selection at runtime) are higher-risk because a successful PI attack does not just alter a single output — it can redirect the entire scenario execution path. For agentic Make scenarios, use a lower threshold (score ≥ 60 blocks the bundle) and log every scan result, not just blocked ones, to a Data Store for post-incident forensics.

Further reading