ICP-by-platform · n8n
Prompt-injection scanner for n8n AI automation
n8n's AI Agent node, OpenAI node, and Anthropic node can each accept images or file buffers as part of a message — making any n8n workflow that processes user-supplied images, PDFs, or screenshots into a live multimodal prompt-injection target. When a workflow triggers on a webhook that includes an image attachment, a Gmail node that ingests invoices, or a Telegram bot that receives photo messages, those image bytes reach a vision model without any content inspection. A FigStep-class adversarial payload rendered into that image can instruct the LLM to change the workflow's output, leak prior conversation context, or call downstream tools with attacker-specified arguments — all invisible to text-layer input guards. Glyphward closes this gap with a single HTTP Request node that scores the image before the AI node fires.
TL;DR
In any n8n workflow where a node passes image bytes or a file buffer to an OpenAI, Anthropic, or Google Gemini AI node: add an HTTP Request node that POSTs the image to /v1/scan, then add an IF condition node that blocks the workflow if score ≥ 70. The scan completes in under 200 ms — negligible for workflows where the LLM call itself takes 2–8 seconds. Free tier — 10 scans/day, no card required.
Where multimodal PI enters n8n workflows
Webhook triggers with image payloads. An n8n workflow triggered by a webhook (from a web form, a mobile app, or a third-party service) that accepts image file uploads has a direct multimodal PI attack surface. The binary buffer arrives in the webhook body, gets passed to an OpenAI or Anthropic node as a vision message, and the model processes the image without any intermediate content check. Attackers who know (or can infer) that the workflow uses a vision model will submit crafted images containing typographic prompt injection payloads.
Gmail / Outlook nodes processing incoming emails with attachments. A common n8n automation pattern is: receive email → extract PDF or image attachment → pass to a vision model for extraction or summarisation → write result to Airtable, Notion, or a database. The attachment is an untrusted external input — it was sent by whoever emailed the workflow trigger address. Invoice processing pipelines, receipt extraction automations, and document-intake workflows all follow this pattern and all have the same exposure. See PDF prompt-injection detection for the PDF variant of this attack path.
Telegram, WhatsApp, and Slack bot nodes receiving photo messages. n8n's Telegram Trigger node exposes a photo event type. When a user sends a photo to a Telegram bot built on n8n, that photo buffer is often passed to a vision LLM for classification, captioning, or question-answering. This is a user-controlled, fully external input with no provenance guarantees. The same applies to WhatsApp Cloud API nodes receiving media messages and Slack nodes processing file uploads in channels the bot monitors.
HTTP Request nodes fetching remote images for analysis. Workflows that fetch images from URLs (product photos for cataloguing, social-media screenshots, web page captures) and pass them to a vision model are vulnerable to indirect prompt injection via image — the payload is in a third-party-hosted image that the workflow retrieves, not in a direct user upload. An attacker who can influence which URLs the workflow fetches can plant a payload on a page the workflow will visit.
Screenshot and browser automation nodes. n8n's Puppeteer / Playwright integrations and the built-in HTML Extract node can capture page screenshots that are then passed to a vision LLM for UI analysis, monitoring, or data extraction. A web page with a hidden adversarial text overlay — styled to match the page background or placed in a visually empty area — can inject instructions through the screenshot. See prompt-injection scanner for screenshot-reading agents for the full attack surface and mitigation pattern.
Adding a Glyphward scan node to an n8n workflow
n8n's HTTP Request node can call any REST API and expose the response as a JSON variable available to downstream nodes. Inserting a scan gate takes four steps:
Step 1: Add an HTTP Request node before the AI node that receives the image. Connect it to the node that produces the image buffer (webhook, email, Telegram trigger, or file-read node).
Configure the HTTP Request node with these settings:
Method: POST
URL: https://glyphward.com/v1/scan
Authentication: Header Auth
Name: Authorization
Value: Bearer {{ $credentials.glyphwardApiKey }}
Body Content Type: JSON
Body:
{
"image": "{{ $binary.data.data }}",
"source": "n8n_workflow",
"metadata": {
"workflow_id": "{{ $workflow.id }}",
"node": "{{ $node.name }}"
}
}
The $binary.data.data expression references the base64-encoded binary data from the upstream node. Adjust the expression path to match your actual binary field name (check the Input panel of the upstream node to confirm the field key).
Step 2: Store the scan result. The HTTP Request node returns a JSON object. The key field is score (integer 0–100). Name the output expression so the downstream IF node can reference it — n8n automatically exposes the response body as {{ $json.score }} in the next node.
Step 3: Add an IF node after the scan HTTP Request node.
Condition: Number
Value 1: {{ $json.score }}
Operation: Greater than or equal
Value 2: 70
True branch → Set node: output error message → Stop And Error node
False branch → AI node (OpenAI / Anthropic / Gemini)Step 4: Store your API key as an n8n credential. Create a new "Header Auth" credential in n8n with name Authorization and value Bearer YOUR_KEY, then reference it in the HTTP Request node. Never hardcode the API key directly in the expression field.
JavaScript function node alternative
If you prefer to keep the scan logic self-contained in a single Code node rather than adding a separate HTTP Request node, use the following JavaScript function in an n8n Code node (node version: Node.js, mode: Run Once for Each Item):
const fetch = require('node-fetch');
const imageBase64 = $binary.data.data; // adjust path as needed
const apiKey = $credentials.glyphwardApiKey;
const resp = await fetch('https://glyphward.com/v1/scan', {
method: 'POST',
headers: {
'Authorization': `Bearer ${apiKey}`,
'Content-Type': 'application/json',
},
body: JSON.stringify({
image: imageBase64,
source: 'n8n_code_node',
metadata: { workflow_id: $workflow.id },
}),
});
if (!resp.ok) {
throw new Error(`Glyphward scan failed: ${resp.status}`);
}
const result = await resp.json();
if (result.score >= 70) {
throw new Error(
`Image blocked by PI scanner. scan_id=${result.scan_id} score=${result.score}`
);
}
return [{ json: { ...items[0].json, scan_id: result.scan_id, scan_score: result.score } }];
Throwing an error from a Code node halts that execution branch in n8n and sends the error to your error workflow (if configured) — the upstream AI node never fires. The scan_id is passed forward so downstream nodes can log it to your audit trail.
Coverage matrix
| Defence layer | Webhook image upload | Email attachment (PDF/image) | Telegram photo message | Fetched remote image |
|---|---|---|---|---|
| n8n built-in input validation | Type/size check only | No content inspection | No content inspection | No content inspection |
| OpenAI content policy check | Harm categories only (not PI) | Harm categories only | Harm categories only | Harm categories only |
| Text-only scanner (LLM Guard, Lakera) | No — image bytes ignored | No | No | No |
| Glyphward HTTP Request node | Yes — pixel-level scan | Yes — page-render scan | Yes — image scan | Yes — image scan |
Related questions
Which n8n AI nodes accept image inputs?
As of mid-2026: the OpenAI node (GPT-4o, GPT-4V) when the message type is set to "Image (Binary)", the Anthropic node (Claude 3/3.5) with image content blocks, the Google Gemini node (Gemini 1.5 Pro/Flash) with inline image parts, and any LangChain-based AI Agent node whose underlying model supports vision. If you are unsure whether your AI node accepts image input, check the Input panel at runtime — if you see a binary data key in the input, the node is vision-capable and should be gated with a scan.
Will the scan break my workflow if Glyphward is temporarily unavailable?
The HTTP Request node in n8n has configurable retry and error handling. Set "On Error" to "Continue (using error output)" and add a second IF branch that checks for a non-200 HTTP response — route that branch to a fallback that either blocks the workflow conservatively (fail closed) or logs the scan failure and continues (fail open, for latency-sensitive workflows). Fail-closed is recommended for any workflow that handles untrusted external images.
Does scanning affect n8n Cloud's execution credit consumption?
The Glyphward scan HTTP Request node counts as one HTTP Request node execution in n8n's usage metering — the same as any other API call. At typical rates (under 200 ms), the scan node adds one execution credit per item. On n8n Cloud's free tier (5 executions/month), consider scanning only when the upstream binary field is a MIME type that a vision model would process (image/png, image/jpeg, application/pdf). On Pro tiers, the overhead is negligible.
My workflow processes invoices from known vendors — is scanning still necessary?
Yes, for two reasons. First, an attacker who has the ability to send an email to your workflow trigger address can craft an invoice-lookalike image containing an adversarial payload — the workflow does not verify sender identity beyond what the email provider checks. Second, supply-chain prompt injection is a documented attack pattern: a legitimate vendor's document-management system could be compromised and begin serving malicious images embedded in otherwise-normal PDFs. The scan is a last-line-of-defence layer, not a replacement for sender authentication.
Can I scan audio files for WhisperInject-class attacks in n8n?
Yes. Glyphward's /v1/scan endpoint accepts both image and audio inputs. For n8n workflows that pipe audio files to OpenAI Whisper (via the OpenAI node's "Transcribe Recording" operation) or any other speech-to-text step before an LLM, submit the audio buffer to Glyphward with "audio": "<base64>" instead of "image". The waveform anomaly classifier checks for out-of-band frequency-domain instructions that Whisper's transcript layer would drop — the same threat covered in audio prompt-injection detection and WhisperInject detection.
Further reading
- FigStep detection — typographic PI payloads in image uploads.
- PDF prompt-injection detection — scanning embedded images in invoice and document workflows.
- Indirect prompt injection via image — PI payloads in remotely-fetched images.
- Audio prompt-injection detection — WhisperInject attacks on voice and audio nodes.
- Prompt-injection scanner for screenshot agents — browser automation and page-capture workflows.
- Prompt-injection scanner for Flowise agents — comparable no-code/low-code integration guide.
- Prompt-injection scanner for Dify agents — visual workflow editor integration.
- Why text-only scanners miss image prompt injection — architectural background.