- Home
- MCP servers
- VirusTotal
VirusTotal
- python
3
GitHub Stars
python
Language
6 months ago
First Indexed
2 months ago
Catalog Refreshed
Documentation & install
Readme and setup notes from the catalogue, plus a client-ready config you can copy for your MCP host.
Installation
Add the following to your MCP client configuration file.
Configuration
View docs{
"mcpServers": {
"emeryray2002-virustotal-mcp": {
"command": "npx",
"args": [
"-y",
"@smithery/cli",
"install",
"@emeryray2002/virustotal-mcp",
"--client",
"claude"
],
"env": {
"VT_API_KEY": "YOUR_VT_API_KEY"
}
}
}
}This MCP server lets you query VirusTotal data through a model-centric API, returning comprehensive security analyses for URLs, files, IPs, and domains along with rich relationship data. You can use it from MCP-enabled clients to perform in-depth investigations and fetch related artifacts in a single workflow.
How to use
You connect an MCP client to the VirusTotal MCP Server to run analyses and fetch relationship data. Use the provided report tools to generate complete security overviews for URLs, files, IPs, and domains, and leverage relationship tools to drill into connected artifacts with pagination.
Key workflows to consider:
- Analyze a URL to see its security posture, contacted domains, downloaded files, redirects, and related threat actors.
- Analyze a file by its hash to get detection results, file properties, and linked relationships such as behaviors and dropped files.
- Explore an IP to obtain geolocation, reputation, and historical relationships like resolutions and related files.
- Inspect a domain to gather DNS records, WHOIS data, SSL certificates, subdomains, and historical context.
How to install
Prerequisites you need before running the server:
- Python 3.11 or newer
- Node.js and npm (if you plan to use npm/npx install flows for MCP tooling)
- A VirusTotal API key with access to the required data scopes
Step-by-step installation and run methods are shown below. Pick the approach that matches how you want to run the server.
# Option A: Install via Smithery (CLI-based install for Claude Desktop)
# This installs the MCP package so your client can communicate with Claude Desktop
npx -y @smithery/cli install @emeryray2002/virustotal-mcp --client claude
{
"mcpServers": {
"virustotal_mcp_cli": {
"type": "stdio",
"name": "virustotal_mcp_cli",
"command": "npx",
"args": ["-y", "@smithery/cli", "install", "@emeryray2002/virustotal-mcp", "--client", "claude"]
}
}
}
# Option B: Run in development mode (direct Python module)
python -m virustotal_mcp
"}]} ,{"heading":"Additional configuration and usage notes","blocks":[{"type":"paragraph","text":"The server requires a valid VirusTotal API key and Python dependencies. Ensure your environment variables are set for any sensitive data, such as the API key. When you start the server in Python mode, it will expose an MCP-compatible interface for your client to consume the available tools." ,
## Requirements and error handling
Ensure you meet all prerequisites before starting. The server includes robust error handling for invalid API keys, rate limits, network issues, incorrect input, invalid hashes/IPs/URLs, invalid relationship types, and pagination problems. If you encounter an error, verify your API key, recheck the input format, and retry with appropriate pagination cursors.
## Security and best practices
Protect your VirusTotal API key by using environment variables and avoiding hard-coded secrets. Run the MCP server with restricted access and monitor logs for unusual activity. Keep dependencies up to date and follow standard security practices for handling threat intelligence data.
## Troubleshooting and examples
If the server fails to start, confirm that Python 3.11+ is installed and that the command you used to start the server is exactly as shown. Check that the required Python packages are installed (aiohttp, mcp[cli], python-dotenv, typing-extensions) and that your VirusTotal API key is valid.
## Available tools
### get\_url\_report
Get a comprehensive URL analysis report including security scan results and key relationships (communicating files, contacted domains/IPs, downloaded files, redirects, threat actors)
### get\_file\_report
Get a comprehensive file analysis report using its hash (MD5/SHA-1/SHA-256) including detections, properties, and key relationships (behaviours, dropped files, network connections)
### get\_ip\_report
Get a comprehensive IP address analysis report including geolocation, reputation data, and key relationships (communicating files, historical certificates/WHOIS, resolutions)
### get\_domain\_report
Get a comprehensive domain analysis report including DNS records, WHOIS data, and key relationships (SSL certificates, subdomains, historical data)
### get\_url\_relationship
Query a specific relationship type for a URL with pagination support
### get\_file\_relationship
Query a specific relationship type for a file with pagination support
### get\_ip\_relationship
Query a specific relationship type for an IP address with pagination support
### get\_domain\_relationship
Query a specific relationship type for a domain with pagination support
### advanced\_corpus\_search
Perform advanced VT Intelligence searches across the VirusTotal dataset with pagination