Hi n8n team,
n8n workflows frequently ingest binary payloads — IMAP attachments, Google Drive exports, webhook uploads, S3 objects, Dropbox sync. Today there’s no built-in way to gate these on malware content, so users either trust the source, pipe to an external scanner over HTTP, or skip scanning entirely.
Request: a first-party “Malware Scan” node that runs ClamAV on binary data from a previous node’s output, with two operation modes:
Local: spawn clamscan on a temp file derived from the binary property
Remote: scan over clamd TCP (host / port parameters) — fits the Docker-native way most n8n instances run alongside a ClamAV container
Return shape: { verdict: ‘clean’ | ‘malicious’ | ‘scan_error’, signature?: string } with three branches for routing. The scan_error case is the one custom implementations consistently get wrong, so making it a distinct branch at the node level matters.
This unlocks workflows like “IMAP attachment → scan → clean goes to Drive, malicious goes to quarantine + Slack alert” without any Code node.
The Node.js layer can be backed by clamscan or pompelmi (disclosure: I maintain pompelmi). Happy to contribute the node if the team is open to it.