How to Secure Make.com Workflows from AI Threats
A practical 4-step guide to locking down your Make.com scenarios before AI vulnerabilities become real incidents.
Published April 13, 2026 · 6 min read · By Scannly
To secure Make.com workflows from AI threats, you need to validate all external inputs before they reach AI modules, restrict what actions AI modules can trigger, and monitor outputs for unexpected behaviour. Most small business Make.com automations have at least one of these gaps.
Why Make.com Workflows Are a Target
Make.com makes it easy to connect apps and automate tasks — but that same connectivity is what makes it risky when AI modules are involved. A single scenario can touch your email, CRM, Slack, Google Sheets, and database in one run. If an attacker can influence one input, they can potentially affect all of them.
The three most common attack surfaces in Make.com scenarios:
- Webhook triggers — anyone who knows your webhook URL can send data into your scenario
- Email parsing modules — email bodies are passed directly to AI modules without sanitisation
- HTTP modules — external API responses fed into AI steps without validation
Step 1 — Validate Inputs Before AI Modules
Before any data reaches an AI module (OpenAI, Claude, Gemini), add a filter or router that checks the data is what you expect. Specifically:
- Check that text fields don't contain phrases like "ignore previous instructions" or "system:"
- Limit input length — most legitimate inputs don't need more than 500 characters
- For webhooks, use Make.com's built-in webhook authentication (secret token in headers)
Step 2 — Restrict What AI Modules Can Trigger
Apply the principle of least privilege to your Make.com scenarios. Ask: does the AI module output need to directly trigger a send email, update CRM, or post Slack message action? If not, add a human approval step or a router that validates the AI output first.
Webhook → AI module → Send Email. This chain means an attacker who controls the webhook payload can send emails from your account.
Step 3 — Monitor AI Module Outputs
Add a router after every AI module that checks the output before it flows downstream. Flag responses that:
- Contain URLs not present in the original input
- Are significantly longer than expected
- Contain email addresses or phone numbers not in your data
- Include phrases like "as instructed" or "per your new instructions"
Step 4 — Run a Risk Scan on Your Scenarios
Manual audits take time. Scannly's free Risk Scanner lets you describe your Make.com scenario and returns a scored risk report in 30 seconds — flagging high-risk patterns, unsafe data flows, and specific fixes.
Scan Your Make.com Scenario
Describe your scenario and get a scored security report in 30 seconds — no account required.
Run My Free Scan →