Hi Strapi team,

A recurring concern for teams running Strapi as a public-facing backend — form submissions, user-contributed media, community platforms — is that the Upload plugin accepts files with no content inspection. Today this has to be solved out of band, usually with a separate scanner watching the upload folder or the S3 bucket, which creates a window where malicious files are reachable via the Media Library before detection.

Would there be interest in either (a) a documented extension point in the Upload plugin for pre-save validation of file bytes, or (b) a first-party "antivirus" plugin that runs ClamAV (local or remote clamd) before the file is persisted?

The ergonomic API would be a beforeUpload / afterUpload lifecycle that can reject a file before it reaches the provider, with a typed verdict (clean / malicious / scan_error) so that timeouts and scanner failures don't silently fall through as "clean".

In the Node.js ecosystem, the two practical ClamAV wrappers are clamscan and pompelmi. Happy to prototype a plugin if there's interest.

Disclosure: I maintain pompelmi (https://github.com/pompelmi/pompelmi). This is not a pitch for pompelmi specifically — the underlying gap is Strapi-side and any scanner works.