Zapier Agent Security Risks

Custom Workflow Agents zapier.com Fortified Leaders
AI RISK QUADRANT POSITION DEFENSE CONTROLS (8) ATTACK SURFACE (6.64) EXPOSED GIANTS FORTIFIED LEADERS HUMBLE PROVIDERS TIGHT OPERATORS
AIRQ Score
6.36
Medium
Attack Surface
6.64
High
Blast Radius
5.88
High
Defense Controls
8
Medium
About The Agent

Zapier is a cloud-hosted workflow automation platform that connects over 9,000 third-party applications through event-driven triggers, scheduled automations, AI-powered agents, and a Model Context Protocol server exposing 40,000+ actions to external AI clients. The platform operates as multi-tenant SaaS with OAuth-delegated credential storage. Its primary risk surface stems from expansive integration breadth combined with demonstrated sandbox escape history and supply-chain compromise incidents affecting its npm package ecosystem.

About the AI Risk Quadrant

Fortified Leaders describes agents with moderate-to-high attack surface and blast radius that outpace their defense posture. Zapier scores 6.64 on attack surface driven by tool execution penalties and broad input channels, 5.88 on blast radius from OAuth credential delegation across thousands of services, and 8 out of 15 on defense controls where documented safeguards remain at the inferred confidence tier. Operators should prioritize closing the gap between integration breadth and default-on protection.

1 Key Risks

The most critical security risks an operator inherits when deploying this agent in its documented default configuration. Zapier presents broad input exposure through MCP and webhook channels, expansive credential delegation across connected services, and defense controls that remain opt-in on default configuration.

Key Input Risks
The MCP server and webhook triggers accept structured requests from external AI clients and arbitrary HTTP sources into the workflow execution loop. CVE-2022-28802 demonstrated that shared execution environments amplify input-sourced escalation across account boundaries.
Key Execution Risks
Code by Zapier executes user-supplied JavaScript and Python within a cloud-hosted Lambda environment that lacked per-user isolation until 2022. The post-incident isolation boundary has not been independently verified through public red-team disclosure.
Key Action Risks
Trigger-based Zaps fire connected-app actions autonomously including email dispatch, record writes, and API calls without per-action operator approval on default configuration. OAuth-delegated credentials span 9,000+ connected services sharing a centralized credential vault.
Key Output Risks
Workflows emit data through email, messaging APIs, webhooks, and connected-app writes without default DLP or output redaction controls. AI Guardrails for output filtering operate as opt-in workflow steps rather than platform-enforced gates.
Key Monitoring Risks
Audit logging tracks Zap lifecycle events and admin actions but requires Team or Enterprise plan enrollment with 6-to-12-month retention. Per-action payload inspection and real-time anomaly detection remain operator-managed through external SIEM integration.

2 AIRQ Scores

The four headline scores quantify how exposed the agent is, how damaging a successful attack would be, and how much the agent’s own controls reduce that risk. Zapier's composite AIRQ score reflects broad integration exposure and credential delegation partially offset by documented but opt-in defense controls.

AIRQ Metrics

Zapier places in the Fortified Leaders quadrant with attack surface 6.64, blast radius 5.88, and defense controls 8 of 15, indicating that integration breadth outpaces default-on safeguards.

Attack surface and blast radius are scored out of 10; defense controls out of 15; the AIRQ composite normalizes all three axes into a single 0-to-15 risk indicator.

Metric Score Comments
AIRQ Score 6.36 Moderate-high composite driven by tool execution penalties and credential delegation breadth; hardening should target trifecta-breaking controls first.
Blast Radius 5.88 / 10 Credential access dominates at 4 of 4 from OAuth delegation; autonomous action and network access add significant lateral reach.
Attack Surface 6.64 / 10 Trifecta-complete with tool execution penalty from CVE-2022-28802 and configuration penalty from supply-chain compromise.
Defense Controls 8 / 15 Vendor documents guardrails, isolation, and audit logging but all remain opt-in or plan-gated on default configuration.

3 Attack Surface

Attack surfaces are the entry points and interaction patterns through which adversarial input can reach the agent’s reasoning loop and steer its behavior. Zapier's reasoning loop ingests structured requests from external AI clients via MCP, webhook payloads, and data from 9,000+ connected third-party applications.

Attack Surface Metrics

Higher scores indicate surfaces with demonstrated exploitation history or broader untrusted-input exposure; tool execution and configuration carry evidence penalties.

Each row names one attack surface component, its adjusted score out of 4 (with evidence penalties where applicable), and a one-line rationale citing the documented behavior.

Surface Score Comments
User Input 4 / 4 MCP server accepts structured requests from any authenticated external AI client into workflow execution without per-request content validation [8].
External Data 3 / 4 Workflows ingest data from 9,000+ connected applications including email content, file attachments, and third-party API responses; WordPress plugin SSRF demonstrated server-side request reach [2][7].
Memory 2 / 4 Agent memory persists conversation context and knowledge sources across sessions with operator-configured retention policies [7].
Reasoning 2 / 4 Reasoning delegates to external LLMs via bring-your-own-model configuration without documented reasoning-loop boundary guardrails [7].
Planning 3 / 4 Autonomous trigger-based scheduling executes multi-step task plans on configurable cadences without per-execution operator confirmation [7].
Tool Execution 5 / 4 Code by Zapier sandbox escape (CVE-2022-28802, CVSS 9.9) demonstrated intra-account privilege escalation; independent research confirmed full organization-wide control [1][5].
Orchestration 3 / 4 Multi-step Zap chaining, Paths, and sub-Zap invocation enable complex workflow orchestration that crosses application trust boundaries [7].
Inter-Agent 3 / 4 MCP protocol enables external AI agents to invoke Zapier actions without inter-agent authentication beyond the initial OAuth bearer token [8].
Output Processing 3 / 4 Rich output channels span email, messaging, webhooks, and file writes with AI Guardrails operating as opt-in workflow steps only [9].
Configuration 4 / 4 Supply-chain compromise of @zapier/zapier-sdk demonstrated credential theft through the npm dependency chain; vendor confirmed unauthorized package modifications [3][4][12].

The Lethal Trifecta is triggered when an agent processes untrusted content, accesses private data, and communicates externally in the same session — the three conditions that turn an isolated prompt injection into full-chain exfiltration. Zapier accepts MCP requests and webhook payloads from external sources, holds OAuth-delegated credentials across thousands of services, and sends outbound data through email, messaging, and HTTP webhook channels.

Lethal Trifecta · Complete (3 of 3)

Zapier exhibits all three of these conditions in its documented default configuration:

  • Untrusted input — MCP server requests, webhook trigger payloads, and connected-app event data introduce untrusted bytes into the workflow reasoning loop [8].
  • Sensitive data — OAuth-delegated credentials and connected-app data spanning email, calendar, customer records, and source code repositories are accessible within the execution context [7].
  • External egress — Outbound channels including email dispatch, messaging APIs, HTTP webhooks, and connected-app write actions send bytes outside the operator's trust boundary [7].

4 Blast Radius

The blast radius is what an attacker who controls the agent can reach — which systems they touch, which credentials they read, and which actions they take without operator approval. A compromised Zapier workflow reaches OAuth-delegated credentials across thousands of connected services, autonomous action execution, and unrestricted outbound network channels.

Blast Radius Metrics

Higher scores indicate broader reach from a single compromised workflow; credential access dominates because OAuth delegation spans the full connected-app catalog.

Each row maps one blast factor to its score out of 4 and names the specific workflow capability or OAuth scope that drives the reach assessment.

Factor Score Comments
Code execution 2 / 4 Code by Zapier provides JavaScript and Python execution within a cloud-hosted environment; no operator shell or browser access by default [1].
File system access 1 / 4 No direct file system access; file operations are mediated exclusively through connected cloud storage application APIs [7].
Network access 3 / 4 Unrestricted outbound HTTP via Webhooks by Zapier and connected-app APIs enables data transmission to arbitrary external endpoints [7].
Credential access 4 / 4 OAuth-delegated credentials across 9,000+ connected services stored in shared vault; CVE-2022-28802 demonstrated cross-user credential access [1].
Autonomous action 3 / 4 Trigger-based execution fires connected-app actions on schedules and events with optional human-in-the-loop approval gates [7].
Deployment access 1 / 4 No direct infrastructure deployment tools available; actions limited to application-level operations within connected services [7].

5 Defense Controls

Defense controls are what the agent’s own architecture does to detect, contain, and report attacks before they reach the operator’s systems. Zapier documents AI Guardrails, execution isolation, action restrictions, and audit logging but all controls remain opt-in or plan-gated rather than default-on.

Defense Controls Metrics

Higher defense scores indicate stronger vendor-implemented safeguards; all components score at the inferred confidence tier due to limited independent verification.

Each component is scored 0 to 3 based on whether the control is absent, operator-managed, vendor-documented, or independently verified.

Component Score Comments
Input Guardrails 1 / 3 AI Guardrails offer opt-in prompt-injection detection as a workflow step; independent analysis found guardrails operate at output layer only [6][9].
Execution Isolation 2 / 3 Multi-tenant Lambda execution with post-incident per-user isolation; no documented container-level sandboxing beyond environment separation [7].
Action Controls 2 / 3 Admin-configured action restrictions and managed connections provide per-integration toggles; human-in-the-loop approval gates are opt-in [7].
Output Guardrails 1 / 3 PII detection and toxicity analysis available as opt-in AI Guardrail workflow steps; no default output redaction or DLP enforcement [9].
Monitoring 2 / 3 Audit log tracks Zap lifecycle and admin actions on Team and Enterprise plans; 2025 repository breach exposed gaps in access monitoring [10][11].

6 Hardening Tips

Concrete actions an operator can take to reduce the risks reported above, grouped by which defense control each tip strengthens. Operators should prioritize breaking the trifecta by gating autonomous actions and enforcing input validation before addressing monitoring gaps.

Input Guardrails

Input guardrails intercept adversarial content before it reaches the reasoning loop.

Input Guardrails
  • Policy Require security review approval for any Zap or Agent that accepts webhook or MCP input from external sources.
  • Configuration Enable AI Guardrails prompt-injection detection step on every workflow that processes text content from external channels.
  • Engineering Deploy a pre-processing classifier that validates inbound MCP payloads against an allowlisted schema before workflow entry.

Execution Isolation

Execution isolation contains what a compromised agent can do on the host.

Execution Isolation
  • Policy Mandate separate Zapier accounts for production and development workloads to prevent cross-environment escalation paths.
  • Configuration Restrict Code by Zapier to a dedicated workspace with minimal connected integrations and no shared credential access.
  • Engineering Instrument execution telemetry on Code steps to detect anomalous resource consumption or unexpected outbound API calls.

Action Controls

Action controls govern which tools and actions the agent can invoke autonomously.

Action Controls
  • Policy Require human-in-the-loop approval for all actions that write to production databases or send external communications.
  • Configuration Configure action restrictions to allowlist only the specific integrations each workflow requires rather than permitting all available.
  • Engineering Build a middleware Zap that validates action parameters against business rules before forwarding to the destination service.

Output Guardrails

Output guardrails inspect what the agent sends to other systems and users.

Output Guardrails
  • Policy Require DLP review for any workflow that forwards internal data to external messaging or email channels.
  • Configuration Enable AI Guardrails PII detection on every output step that writes to externally-accessible destinations.
  • Engineering Implement output validation logic that strips URLs and redacts credential patterns before external delivery steps.

Monitoring

Monitoring captures what the agent did and surfaces anomalies for review.

Monitoring
  • Policy Require audit log forwarding to organizational SIEM for all production Zapier workspaces on enterprise plans.
  • Configuration Configure alert rules on Zap error spikes, unusual trigger volumes, and new connection authorization events.
  • Engineering Build automated compliance checks comparing active Zap configurations against approved integration baselines on a weekly cadence.

7 References

The evidence base behind every score and finding in the profile, grouped by source type so the reader can verify any claim. Numbers in brackets throughout the report (e.g. [7, 13]) refer to entries below, listed in citation order.

Selected Vulnerabilities

  1. CVE-2022-28802 Code by Zapier intra-account privilege escalation (CVSS 9.9) via shared Lambda execution; patched 2022-08-17
  2. CVE-2024-13411 Zapier for WordPress plugin SSRF (CVSS 6.4) via updated_user(); patched in 1.5.2
  3. MAL-2025-190648 Supply-chain compromise of @zapier/zapier-sdk npm via Sha1-Hulud worm; removed from registry
  4. Zapier NPM Package Incident Vendor incident report confirming unauthorized modifications to zapier-platform-core and zapier-platform-cli

Selected Research

  1. ZapEscape Disclosure Zenity Labs demonstrated full sandbox escape in Code by Zapier via private Zap invisible to monitoring
  2. MCP Guardrails Limitations Independent analysis argues AI Guardrails operate at output layer only; supply-chain and execution-layer threats unaddressed

Vendor Documentation

  1. Zapier Security and Compliance Vendor security overview: SOC 2 Type II, encryption, action restrictions, managed connections, log streaming
  2. Zapier MCP Documentation MCP server giving external AI clients authenticated access to 9000+ apps through governed connection
  3. AI Guardrails Feature Guide AI Guardrails: opt-in PII detection, prompt-injection detection, toxicity detection for Zaps and Agents
  4. Zapier Audit Log Audit log tracking Zap lifecycle events and admin actions; Team and Enterprise plans only

Other Sources

  1. Zapier Code Repository Breach February 2025 breach via 2FA misconfiguration exposed code repositories containing customer data
  2. Sha1-Hulud Supply Chain Analysis Self-propagating Sha1-Hulud worm infected Zapier npm packages and harvested developer credentials