VirusTotal

Queries VirusTotal data through MCP with URL/File/IP/Domain analyses and relationship queries
  • python

3

GitHub Stars

python

Language

6 months ago

First Indexed

2 months ago

Catalog Refreshed

Documentation & install

Readme and setup notes from the catalogue, plus a client-ready config you can copy for your MCP host.

Installation

Add the following to your MCP client configuration file.

Configuration

View docs
{
  "mcpServers": {
    "emeryray2002-virustotal-mcp": {
      "command": "npx",
      "args": [
        "-y",
        "@smithery/cli",
        "install",
        "@emeryray2002/virustotal-mcp",
        "--client",
        "claude"
      ],
      "env": {
        "VT_API_KEY": "YOUR_VT_API_KEY"
      }
    }
  }
}

This MCP server lets you query VirusTotal data through a model-centric API, returning comprehensive security analyses for URLs, files, IPs, and domains along with rich relationship data. You can use it from MCP-enabled clients to perform in-depth investigations and fetch related artifacts in a single workflow.

How to use

You connect an MCP client to the VirusTotal MCP Server to run analyses and fetch relationship data. Use the provided report tools to generate complete security overviews for URLs, files, IPs, and domains, and leverage relationship tools to drill into connected artifacts with pagination.

Key workflows to consider:

  • Analyze a URL to see its security posture, contacted domains, downloaded files, redirects, and related threat actors.
  • Analyze a file by its hash to get detection results, file properties, and linked relationships such as behaviors and dropped files.
  • Explore an IP to obtain geolocation, reputation, and historical relationships like resolutions and related files.
  • Inspect a domain to gather DNS records, WHOIS data, SSL certificates, subdomains, and historical context.

How to install

Prerequisites you need before running the server:
- Python 3.11 or newer
- Node.js and npm (if you plan to use npm/npx install flows for MCP tooling)
- A VirusTotal API key with access to the required data scopes

Step-by-step installation and run methods are shown below. Pick the approach that matches how you want to run the server.

# Option A: Install via Smithery (CLI-based install for Claude Desktop)
# This installs the MCP package so your client can communicate with Claude Desktop
npx -y @smithery/cli install @emeryray2002/virustotal-mcp --client claude
{
  "mcpServers": {
    "virustotal_mcp_cli": {
      "type": "stdio",
      "name": "virustotal_mcp_cli",
      "command": "npx",
      "args": ["-y", "@smithery/cli", "install", "@emeryray2002/virustotal-mcp", "--client", "claude"]
    }
  }
}
# Option B: Run in development mode (direct Python module)
python -m virustotal_mcp

"}]} ,{"heading":"Additional configuration and usage notes","blocks":[{"type":"paragraph","text":"The server requires a valid VirusTotal API key and Python dependencies. Ensure your environment variables are set for any sensitive data, such as the API key. When you start the server in Python mode, it will expose an MCP-compatible interface for your client to consume the available tools." ,

## Requirements and error handling

Ensure you meet all prerequisites before starting. The server includes robust error handling for invalid API keys, rate limits, network issues, incorrect input, invalid hashes/IPs/URLs, invalid relationship types, and pagination problems. If you encounter an error, verify your API key, recheck the input format, and retry with appropriate pagination cursors.

## Security and best practices

Protect your VirusTotal API key by using environment variables and avoiding hard-coded secrets. Run the MCP server with restricted access and monitor logs for unusual activity. Keep dependencies up to date and follow standard security practices for handling threat intelligence data.

## Troubleshooting and examples

If the server fails to start, confirm that Python 3.11+ is installed and that the command you used to start the server is exactly as shown. Check that the required Python packages are installed (aiohttp, mcp[cli], python-dotenv, typing-extensions) and that your VirusTotal API key is valid.

## Available tools

### get\_url\_report

Get a comprehensive URL analysis report including security scan results and key relationships (communicating files, contacted domains/IPs, downloaded files, redirects, threat actors)

### get\_file\_report

Get a comprehensive file analysis report using its hash (MD5/SHA-1/SHA-256) including detections, properties, and key relationships (behaviours, dropped files, network connections)

### get\_ip\_report

Get a comprehensive IP address analysis report including geolocation, reputation data, and key relationships (communicating files, historical certificates/WHOIS, resolutions)

### get\_domain\_report

Get a comprehensive domain analysis report including DNS records, WHOIS data, and key relationships (SSL certificates, subdomains, historical data)

### get\_url\_relationship

Query a specific relationship type for a URL with pagination support

### get\_file\_relationship

Query a specific relationship type for a file with pagination support

### get\_ip\_relationship

Query a specific relationship type for an IP address with pagination support

### get\_domain\_relationship

Query a specific relationship type for a domain with pagination support

### advanced\_corpus\_search

Perform advanced VT Intelligence searches across the VirusTotal dataset with pagination
Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational