ICP-by-platform · Zapier
Prompt-injection scanner for Zapier AI
Zapier connects over 7,000 apps and serves more than 6 million business users. When a Zap includes an AI Step (powered by OpenAI GPT-4o, Anthropic Claude, or Google Gemini) and that step receives an image or document from an upstream trigger — a Gmail attachment, a Typeform file upload, a Google Drive file, or a Slack image share — the image bytes reach a vision model without any content inspection. A FigStep-class adversarial payload embedded in the image can instruct the LLM to change the Zap's output, exfiltrate data from prior steps, or trigger downstream actions with attacker-controlled content. Zapier has no built-in multimodal content scanning. A "Webhooks by Zapier" action calling Glyphward's /v1/scan endpoint — inserted before the AI Step — closes this gap with a single no-code configuration step.
TL;DR
In any Zap where an AI Step receives image or document data from an upstream trigger: insert a "Webhooks by Zapier" POST action before the AI Step, call https://glyphward.com/v1/scan with the image data, then add a Filter action that stops the Zap if the returned score ≥ 70. The scan completes in under 200 ms — well within Zapier's step timeout. Free tier — 10 scans/day, no card required.
Where multimodal PI enters Zapier workflows
Gmail trigger → AI Step for invoice or receipt extraction. A Zap triggered by a new Gmail email with an attachment that passes the attachment to an AI Step for data extraction is among the most common Zapier + AI patterns. Invoice images, receipt scans, and form PDFs are all untrusted external inputs. An attacker who can email your Zap trigger address can craft an attachment containing adversarial pixel-level instructions. See PDF prompt-injection detection for the version where the image is embedded in a PDF.
Typeform / JotForm / Gravity Forms image upload triggers. Web forms that accept image uploads — customer onboarding forms, support ticket attachments, product submission forms — route those images to downstream AI Steps for classification, extraction, or triage. The form submitter is an external, untrusted user. An adversarial form submission is a straightforward attack vector: the attacker simply fills in the form and uploads a crafted image.
Google Drive / Dropbox new file triggers with AI document analysis. Zaps that trigger on new files in a shared folder and pass those files to an AI Step for summarisation or extraction have a supply-chain attack surface. The files arrive from anyone who has write access to the shared folder — collaborators, clients, vendors, or anyone who gains access to a shared link. A file placed in the trigger folder that contains an adversarial image payload processes silently, with no notification to the Zap owner.
Slack image share triggers. Zapier's Slack trigger can fire on new file uploads in a channel. If the Zap forwards the file to an AI Step for any kind of processing — content moderation, classification, or transcription — any channel member can upload a crafted image to trigger the attack. In B2B SaaS tools that route customer-shared images through AI pipelines via Slack webhooks, this is a common unguarded path.
Webhook trigger with base64 image payload. Custom webhook triggers that receive base64-encoded image data from external services (e-commerce product images, user avatar uploads, camera feeds) and forward to an AI Step have the same exposure as any direct API integration. The indirect prompt injection via image pattern applies when the image URL is fetched from a third-party host.
Adding a Glyphward scan action to a Zap
Zapier's "Webhooks by Zapier" action can call any REST API. The scan gate requires three Zap actions: a Webhooks POST, a Code step to read the score, and a Filter.
Step 1: Add a "Webhooks by Zapier" action between the trigger (or the step that produces the image) and the AI Step.
Configure it with:
Action Event: POST
URL: https://glyphward.com/v1/scan
Payload Type: JSON
Data:
image: [the base64 image field from the upstream step]
source: zapier_workflow
Headers:
Authorization: Bearer [your Glyphward API key]
Content-Type: application/jsonStep 2: Add a "Filter by Zapier" action after the Webhooks step.
Only continue if:
[Webhooks response: score] Less than 70If the score is 70 or above, the Zap stops at this Filter and the AI Step never runs. The Zap run is marked "Stopped by Filter" in your Zap history — useful for auditing flagged inputs without triggering an error alert.
Step 3: Store your API key securely. Use Zapier's built-in "app" credential storage or a Zapier Secret Manager connection rather than pasting the key directly into the Webhooks action header field. This prevents the key from appearing in Zap history logs.
Alternative: Code by Zapier (JavaScript)
If you need to handle the scan response with custom logic (multi-image Zap, conditional routing based on scan_id, or logging to a data store), use a "Code by Zapier" JavaScript step instead of the Filter:
const imageBase64 = inputData.imageBase64; // from upstream step
const apiKey = inputData.glyphwardApiKey; // pass as input from Zapier Secret
const resp = await fetch('https://glyphward.com/v1/scan', {
method: 'POST',
headers: {
'Authorization': `Bearer ${apiKey}`,
'Content-Type': 'application/json',
},
body: JSON.stringify({ image: imageBase64, source: 'zapier_code_step' }),
});
if (!resp.ok) {
// Fail-closed: block the Zap if the scan service is unreachable
throw new Error(`Glyphward scan failed: ${resp.status}`);
}
const result = await resp.json();
if (result.score >= 70) {
throw new Error(
`Image blocked by multimodal PI scanner. scan_id=${result.scan_id} score=${result.score}`
);
}
return { scan_id: result.scan_id, scan_score: result.score, image_safe: true };
Throwing from a Code by Zapier step halts the Zap run with an error, which Zapier retries according to your Zap's error handling settings. For production Zaps, configure a separate error-handling Zap (Zapier's "Catch Hook" trigger on error) to route flagged scans to a Slack notification or a Google Sheet audit log.
Coverage matrix
| Defence layer | Gmail attachment | Typeform file upload | Drive new file | Slack image share |
|---|---|---|---|---|
| Zapier built-in spam/phishing filter | Partial (not PI-specific) | No | No | No |
| OpenAI content moderation | Harm categories only (not PI) | Harm categories only | Harm categories only | Harm categories only |
| Text-only scanner (LLM Guard, Lakera) | No — image bytes ignored | No | No | No |
| Glyphward Webhooks action | Yes — pixel-level scan | Yes | Yes | Yes |
Related questions
Which Zapier AI Step models support image inputs?
As of mid-2026, Zapier's AI Step supports OpenAI GPT-4o and GPT-4 Turbo (both vision-capable), Anthropic Claude 3/3.5 Sonnet and Opus, and Google Gemini 1.5 Pro and Flash. When you configure the AI Step to include an image field from an upstream step, it sends the image as a vision message to the model. If you are unsure whether your AI Step is processing images, check the AI Step's "Input" panel at runtime — if you see an image field mapped from an upstream trigger, it is vision-capable and should be gated.
Does Glyphward scanning count against my Zapier task usage?
Yes — each "Webhooks by Zapier" or "Code by Zapier" action in a Zap consumes one Zapier task per run. On Zapier's free tier (100 tasks/month), consider scanning only when the upstream trigger confirms the file MIME type is an image or PDF. On Professional and Team tiers, the additional task per Zap run is negligible overhead compared to the risk of an undetected PI attack in a production automation.
What happens if Glyphward is temporarily unavailable?
The "Code by Zapier" example above throws on a non-200 response, which causes the Zap to fail (fail-closed). The "Webhooks by Zapier + Filter" approach depends on how Zapier handles a failed Webhooks action — by default it retries, then marks the Zap run as errored. For business-critical Zaps, use the Code approach with explicit error handling and configure a "Zapier Manager" error step that routes timed-out scans to a human review queue rather than letting them through.
Can I use this for Zapier Interfaces (AI-powered form builders)?
Yes. Zapier Interfaces can trigger Zaps on form submissions that include file uploads. The same pattern applies: the file upload field maps to an image binary in the Zap, which you intercept with a Webhooks or Code scan action before any downstream AI Step. If your Interface uses Zapier's native AI feature (built-in AI responses powered by the Interface), check whether that path routes through a Zap — if it does, the scan applies; if the AI response is handled directly inside the Interface without a Zap step, the integration path is different and may require a custom API call from the Interface's "Custom Code" block.
Further reading
- FigStep detection — the typographic attack class most commonly exploited in automation pipelines.
- PDF prompt-injection detection — scanning invoice and document attachments from Gmail triggers.
- Indirect prompt injection via image — PI payloads in remotely-fetched images from Drive or webhook URLs.
- For n8n automation — comparable integration guide for n8n, the open-source Zapier alternative.
- For Dify agents — integration guide for Dify, another widely-used visual workflow builder.
- For Flowise agents — no-code agent builder integration.
- Why text-only scanners miss image prompt injection — architectural background.