VirusTotal▌
by burtthecoder
Access VirusTotal's threat intelligence via this MCP server for advanced security analysis, intrusion prevention, and vi
This VirusTotal MCP server enables AI assistants to programmatically access VirusTotal's threat intelligence for security analysis and threat detection.
Both formats append explainx.ai attribution and the canonical URL for this MCP server listing.
best for
- / Security analysts investigating threats
- / SOC teams doing incident response
- / Developers validating file safety
- / IT administrators checking suspicious URLs
capabilities
- / Analyze files for malware detection
- / Check URLs for malicious content
- / Query IP addresses for threat intelligence
- / Scan domains for security issues
- / Fetch relationship data between security objects
- / Generate comprehensive security reports
what it does
Connects AI assistants to VirusTotal's threat intelligence API for analyzing files, URLs, IPs, and domains for malware and security threats.
about
VirusTotal is a community-built MCP server published by burtthecoder that provides AI assistants with tools and capabilities via the Model Context Protocol. Access VirusTotal's threat intelligence via this MCP server for advanced security analysis, intrusion prevention, and vi It is categorized under auth security, analytics data.
how to install
You can install VirusTotal in your AI client of choice. Use the install panel on this page to get one-click setup for Cursor, Claude Desktop, VS Code, and other MCP-compatible clients. This server runs locally on your machine via the stdio transport.
license
MIT
VirusTotal is released under the MIT license. This is a permissive open-source license, meaning you can freely use, modify, and distribute the software.
readme
VirusTotal MCP Server
A Model Context Protocol (MCP) server for querying the VirusTotal API. This server provides comprehensive security analysis tools with automatic relationship data fetching. It integrates seamlessly with MCP-compatible applications like Claude Desktop.
Quick Start (Recommended)
Claude Code
claude mcp add --transport stdio --env VIRUSTOTAL_API_KEY=your-key virustotal -- npx -y @burtthecoder/mcp-virustotal
Codex CLI
codex mcp add virustotal --env VIRUSTOTAL_API_KEY=your-key -- npx -y @burtthecoder/mcp-virustotal
Gemini CLI
gemini mcp add -e VIRUSTOTAL_API_KEY=your-key virustotal npx -y @burtthecoder/mcp-virustotal
Installing via Smithery
To install VirusTotal Server for Claude Desktop automatically via Smithery:
npx -y @smithery/cli install @burtthecoder/mcp-virustotal --client claude
Installing Manually
- Install the server globally via npm:
npm install -g @burtthecoder/mcp-virustotal
- Add to your Claude Desktop configuration file:
{
"mcpServers": {
"virustotal": {
"command": "mcp-virustotal",
"env": {
"VIRUSTOTAL_API_KEY": "your-virustotal-api-key"
}
}
}
}
Configuration file location:
- macOS:
~/Library/Application Support/Claude/claude_desktop_config.json - Windows:
%APPDATA%\Claude\claude_desktop_config.json
- Restart Claude Desktop
Using with VS Code
To use this MCP server in VS Code with GitHub Copilot:
- Install the server globally via npm:
npm install -g @burtthecoder/mcp-virustotal
-
Create or update your VS Code MCP configuration file at:
- macOS/Linux:
~/.vscode/mcp.json - Windows:
%USERPROFILE%\.vscode\mcp.json
- macOS/Linux:
-
Add the following configuration:
{
"servers": {
"virustotal": {
"command": "mcp-virustotal",
"env": {
"VIRUSTOTAL_API_KEY": "your-virustotal-api-key"
}
}
}
}
- Reload VS Code to activate the MCP server
You can then use the VirusTotal tools through GitHub Copilot in VS Code by referencing the available tools in your prompts.
Alternative Setup (From Source)
If you prefer to run from source or need to modify the code:
- Clone and build:
git clone <repository_url>
cd mcp-virustotal
npm install
npm run build
- Add to your Claude Desktop configuration:
{
"mcpServers": {
"virustotal": {
"command": "node",
"args": ["/absolute/path/to/mcp-virustotal/build/index.js"],
"env": {
"VIRUSTOTAL_API_KEY": "your-virustotal-api-key"
}
}
}
}
HTTP Streaming Transport
The server supports HTTP streaming transport in addition to the default stdio transport. This is useful for running the server as a standalone HTTP service that multiple clients can connect to.
Running in HTTP Streaming Mode
Set the MCP_TRANSPORT environment variable to httpStream:
MCP_TRANSPORT=httpStream MCP_PORT=3000 VIRUSTOTAL_API_KEY=your-key node build/index.js
Environment Variables
| Variable | Default | Description |
|---|---|---|
VIRUSTOTAL_API_KEY | (required) | Your VirusTotal API key |
MCP_TRANSPORT | stdio | Transport mode: stdio or httpStream |
MCP_PORT | 3000 | HTTP server port (only for httpStream) |
MCP_ENDPOINT | /mcp | HTTP endpoint path (only for httpStream) |
Docker with HTTP Streaming
docker build -t mcp-virustotal .
docker run -p 3000:3000 \
-e VIRUSTOTAL_API_KEY=your-key \
-e MCP_TRANSPORT=httpStream \
mcp-virustotal
The server exposes a health check endpoint at /health when running in HTTP streaming mode.
Features
- Comprehensive Analysis Reports: Each analysis tool automatically fetches relevant relationship data along with the basic report, providing a complete security overview in a single request
- URL Analysis: Security reports with automatic fetching of contacted domains, downloaded files, and threat actors
- File Analysis: Detailed analysis of file hashes including behaviors, dropped files, and network connections
- IP Analysis: Security reports with historical data, resolutions, and related threats
- Domain Analysis: DNS information, WHOIS data, SSL certificates, and subdomains
- Detailed Relationship Analysis: Dedicated tools for querying specific types of relationships with pagination support
- Rich Formatting: Clear categorization and presentation of analysis results and relationship data
Tools
Report Tools (with Automatic Relationship Fetching)
1. URL Report Tool
- Name:
get_url_report - Description: Get a comprehensive URL analysis report including security scan results and key relationships (communicating files, contacted domains/IPs, downloaded files, redirects, threat actors)
- Parameters:
url(required): The URL to analyze
2. File Report Tool
- Name:
get_file_report - Description: Get a comprehensive file analysis report using its hash (MD5/SHA-1/SHA-256). Includes detection results, file properties, and key relationships (behaviors, dropped files, network connections, embedded content, threat actors)
- Parameters:
hash(required): MD5, SHA-1 or SHA-256 hash of the file
3. IP Report Tool
- Name:
get_ip_report - Description: Get a comprehensive IP address analysis report including geolocation, reputation data, and key relationships (communicating files, historical certificates/WHOIS, resolutions)
- Parameters:
ip(required): IP address to analyze
4. Domain Report Tool
- Name:
get_domain_report - Description: Get a comprehensive domain analysis report including DNS records, WHOIS data, and key relationships (SSL certificates, subdomains, historical data)
- Parameters:
domain(required): Domain name to analyzerelationships(optional): Array of specific relationships to include in the report
Relationship Tools (for Detailed Analysis)
1. URL Relationship Tool
- Name:
get_url_relationship - Description: Query a specific relationship type for a URL with pagination support. Choose from 17 relationship types including analyses, communicating files, contacted domains/IPs, downloaded files, graphs, referrers, redirects, and threat actors
- Parameters:
url(required): The URL to get relationships forrelationship(required): Type of relationship to query- Available relationships: analyses, comments, communicating_files, contacted_domains, contacted_ips, downloaded_files, graphs, last_serving_ip_address, network_location, referrer_files, referrer_urls, redirecting_urls, redirects_to, related_comments, related_references, related_threat_actors, submissions
limit(optional, default: 10): Maximum number of related objects to retrieve (1-40)cursor(optional): Continuation cursor for pagination
2. File Relationship Tool
- Name:
get_file_relationship - Description: Query a specific relationship type for a file with pagination support. Choose from 41 relationship types including behaviors, network connections, dropped files, embedded content, execution chains, and threat actors
- Parameters:
hash(required): MD5, SHA-1 or SHA-256 hash of the filerelationship(required): Type of relationship to query- Available relationships: analyses, behaviours, bundled_files, carbonblack_children, carbonblack_parents, ciphered_bundled_files, ciphered_parents, clues, collections, comments, compressed_parents, contacted_domains, contacted_ips, contacted_urls, dropped_files, email_attachments, email_parents, embedded_domains, embedded_ips, embedded_urls, execution_parents, graphs, itw_domains, itw_ips, itw_urls, memory_pattern_domains, memory_pattern_ips, memory_pattern_urls, overlay_children, overlay_parents, pcap_children, pcap_parents, pe_resource_children, pe_resource_parents, related_references, related_threat_actors, similar_files, submissions, screenshots, urls_for_embedded_js, votes
limit(optional, default: 10): Maximum number of related objects to retrieve (1-40)cursor(optional): Continuation cursor for pagination
3. IP Relationship Tool
- Name:
get_ip_relationship - Description: Query a specific relationship type for an IP address with pagination support. Choose from 12 relationship types including communicating files, historical SSL certificates, WHOIS records, resolutions, and threat actors
- Parameters:
ip(required): IP address to analyzerelationship(required): Type of relationship to query- Available relationships: comments, communicating_files, downloaded_files, graphs, historical_ssl_certificates, historical_whois, related_comments, related_references, related_threat_actors, referrer_files, resolutions, urls
limit(optional, default: 10): Maximum number of related objects to retrieve (1-40)cursor(optional): Continuation cursor for pagination
4. Domain Relationship Tool
- Name:
get_domain_relationship - Description: Query a specific relationship type for a domain with pagination support. Choose from 21 relationship types including SSL certificates, subdomains, historical data, and DNS records
- Parameters:
domain(required): Domain name to analyzerelationship(required): Type of relationship to query- Available relationships: caa_records, cname_records, comments, communicating_files, downloaded_files, historical_ssl_certificates, historical_whois, immediate_parent, mx_records, ns_records, parent, referrer_files, related_comments, related_references, related_threat_actors, resolutions, soa_records, siblings, subdom
FAQ
- What is the VirusTotal MCP server?
- VirusTotal is a Model Context Protocol (MCP) server profile on explainx.ai. MCP lets AI hosts (e.g. Claude Desktop, Cursor) call tools and resources through a standard interface; this page summarizes categories, install hints, and community ratings.
- How do MCP servers relate to agent skills?
- Skills are reusable instruction packages (often SKILL.md); MCP servers expose live capabilities. Teams frequently combine both—skills for workflows, MCP for APIs and data. See explainx.ai/skills and explainx.ai/mcp-servers for parallel directories.
- How are reviews shown for VirusTotal?
- This profile displays 33 aggregated ratings (sample rows for discoverability plus signed-in user reviews). Average score is about 4.5 out of 5—verify behavior in your own environment before production use.
Use Cases▌
Extended AI Capabilities
Add new capabilities to Claude beyond text generation
Example
Access external data sources, execute code, interact with tools and services
Transform Claude from chatbot to action-taking agent
Context Enhancement
Provide Claude with access to relevant context and data
Example
Load project documentation, access knowledge bases, query databases
Get more accurate, context-aware responses
Workflow Automation
Automate multi-step workflows combining AI and external tools
Example
Research → Summarize → Create document → Send notification
Complete complex tasks end-to-end without manual steps
Implementation Guide▌
Prerequisites
- ›Claude Desktop 0.7.0+ or Cursor IDE with MCP support
- ›Basic understanding of MCP architecture and capabilities
- ›Access credentials for integrated services (if required)
- ›Willingness to experiment and iterate on configuration
Time Estimate
15-60 minutes depending on server complexity
Installation Steps
- 1.Install MCP server: npm install -g [package-name] or via GitHub
- 2.Add server configuration to ~/.claude/mcp.json
- 3.Provide required credentials and configuration
- 4.Restart Claude Desktop to load new server
- 5.Test basic functionality with simple prompts
- 6.Explore capabilities and experiment with use cases
- 7.Document successful patterns for reuse
Troubleshooting
- ⚠MCP server not loading: Check config syntax, verify installation
- ⚠Connection errors: Check network, firewall, credentials
- ⚠Feature not working: Read server docs, check required parameters
- ⚠Performance issues: Monitor resource usage, check for network latency
- ⚠Conflicts with other servers: Check port assignments, namespace collisions
Best Practices▌
✓ Do
- +Read server documentation thoroughly before setup
- +Start with simple use cases to validate functionality
- +Test in non-production environment first
- +Monitor resource usage and performance
- +Keep servers updated for bug fixes and new features
- +Document configuration for team members
- +Use environment variables for sensitive configuration
✗ Don't
- −Don't grant overly permissive access to MCP servers
- −Don't skip reading security considerations in docs
- −Don't expose sensitive data without proper controls
- −Don't run untrusted MCP servers without code review
- −Don't ignore error messages—investigate root cause
💡 Pro Tips
- ★Combine multiple MCP servers for powerful workflows
- ★Create custom MCP servers for your specific needs
- ★Share successful configurations with team
- ★Use MCP inspector for debugging
- ★Join MCP community for tips and troubleshooting
Technical Details▌
Architecture
Model Context Protocol standardizes how AI hosts (Claude, Cursor) communicate with external tools and data sources through server implementations.
Protocols
- Model Context Protocol (MCP)
- JSON-RPC 2.0
- stdio or HTTP transport
Compatibility
- Claude Desktop
- Cursor IDE
- Custom MCP clients
When to Use This▌
✓ Use When
Use when you need Claude to access external data, execute actions, or integrate with tools. Best for extending AI capabilities beyond conversation.
✗ Avoid When
Avoid when native integrations exist (use official APIs directly), for real-time critical systems, or when security/compliance requires zero external dependencies.
Integration▌
- →Tool composition: Chain multiple MCP tools in workflows
- →Context augmentation: Provide AI with relevant external data
- →Action delegation: Let AI execute tasks on external systems
- →Bidirectional sync: Keep AI context and external systems in sync
Discussion
Product Hunt–style comments (not star reviews)- No comments yet — start the thread.
List & Promote Your MCP Server
Share your MCP server with the developer community
Ratings
4.5★★★★★33 reviews- ★★★★★Benjamin Zhang· Dec 24, 2024
Strong directory entry: VirusTotal surfaces stars and publisher context so we could sanity-check maintenance before adopting.
- ★★★★★Isabella Huang· Dec 8, 2024
VirusTotal is among the better-indexed MCP projects we tried; the explainx.ai summary tracks the official description.
- ★★★★★Evelyn Khanna· Nov 27, 2024
VirusTotal reduced integration guesswork — categories and install configs on the listing matched the upstream repo.
- ★★★★★Ava Abbas· Nov 27, 2024
VirusTotal is a well-scoped MCP server in the explainx.ai directory — install snippets and categories matched our Claude Code setup.
- ★★★★★Benjamin Khan· Nov 15, 2024
VirusTotal has been reliable for tool-calling workflows; the MCP profile page is a good permalink for internal docs.
- ★★★★★Isabella Mehta· Oct 18, 2024
Useful MCP listing: VirusTotal is the kind of server we cite when onboarding engineers to host + tool permissions.
- ★★★★★Kofi Martinez· Oct 6, 2024
According to our notes, VirusTotal benefits from clear Model Context Protocol framing — fewer ambiguous “AI plugin” claims.
- ★★★★★Benjamin Jain· Sep 25, 2024
We wired VirusTotal into a staging workspace; the listing’s GitHub and npm pointers saved time versus hunting across READMEs.
- ★★★★★Piyush G· Sep 13, 2024
I recommend VirusTotal for teams standardizing on MCP; the explainx.ai page compares cleanly with sibling servers.
- ★★★★★Luis Kapoor· Sep 1, 2024
VirusTotal is a well-scoped MCP server in the explainx.ai directory — install snippets and categories matched our Claude Code setup.
showing 1-10 of 33