VirusTotal MCP server for AI agents

The VirusTotal MCP server provides a powerful interface for interacting with the VirusTotal API, allowing you to analyze URLs, files, IPs, and domains for security threats. It integrates with MCP-compatible applications like Claude Desktop to provide comprehensive security analysis capabilities.

Installation Options

Quick Installation via Smithery

The easiest way to install the VirusTotal Server for Claude Desktop:

npx -y @smithery/cli install @burtthecoder/mcp-virustotal --client claude

Manual Installation

Install the server globally with npm:

npm install -g @burtthecoder/mcp-virustotal

Add the server to your Claude Desktop configuration file:

{
  "mcpServers": {
    "virustotal": {
      "command": "mcp-virustotal",
      "env": {
        "VIRUSTOTAL_API_KEY": "your-virustotal-api-key"
      }
    }
  }
}

Configuration file locations:

macOS: ~/Library/Application Support/Claude/claude_desktop_config.json
Windows: %APPDATA%\Claude\claude_desktop_config.json

Restart Claude Desktop

Installation from Source

If you need to modify the code or prefer running from source:

Clone and build the repository:

git clone <repository_url>
cd mcp-virustotal
npm install
npm run build

Configure Claude Desktop to use your local build:

{
  "mcpServers": {
    "virustotal": {
      "command": "node",
      "args": ["--experimental-modules", "/absolute/path/to/mcp-virustotal/build/index.js"],
      "env": {
        "VIRUSTOTAL_API_KEY": "your-virustotal-api-key"
      }
    }
  }
}

Available Tools

Report Tools

These tools provide comprehensive analysis with automatic relationship data fetching:

URL Report Tool

Name: get_url_report
Description: Get URL analysis with security scan results and key relationships
Parameters:
- url (required): The URL to analyze

File Report Tool

Name: get_file_report
Description: Get file analysis using a hash (MD5/SHA-1/SHA-256)
Parameters:
- hash (required): MD5, SHA-1 or SHA-256 hash of the file

IP Report Tool

Name: get_ip_report
Description: Get IP address analysis with geolocation and reputation data
Parameters:
- ip (required): IP address to analyze

Domain Report Tool

Name: get_domain_report
Description: Get domain analysis including DNS records and WHOIS data
Parameters:
- domain (required): Domain name to analyze
- relationships (optional): Array of specific relationships to include

Relationship Tools

These tools allow detailed querying of specific relationship types with pagination:

URL Relationship Tool

Name: get_url_relationship
Parameters:
- url (required): URL to analyze
- relationship (required): Relationship type to query (e.g., contacted_domains, downloaded_files)
- limit (optional, default: 10): Maximum results (1-40)
- cursor (optional): Continuation cursor for pagination

File Relationship Tool

Name: get_file_relationship
Parameters:
- hash (required): MD5, SHA-1 or SHA-256 hash
- relationship (required): Relationship type to query (e.g., behaviors, dropped_files)
- limit (optional, default: 10): Maximum results (1-40)
- cursor (optional): Continuation cursor for pagination

IP Relationship Tool

Name: get_ip_relationship
Parameters:
- ip (required): IP address to analyze
- relationship (required): Relationship type to query (e.g., communicating_files, resolutions)
- limit (optional, default: 10): Maximum results (1-40)
- cursor (optional): Continuation cursor for pagination

Domain Relationship Tool

Name: get_domain_relationship
Parameters:
- domain (required): Domain name to analyze
- relationship (required): Relationship type to query (e.g., ssl_certificates, subdomains)
- limit (optional, default: 10): Maximum results (1-40)
- cursor (optional): Continuation cursor for pagination

Requirements

Node.js v18 or later
A valid VirusTotal API Key

Troubleshooting

API Key Issues

If you encounter "Wrong API key" errors:

Check the log file at /tmp/mcp-virustotal-server.log (on macOS)
Verify your API key:
- Make sure it's a valid 64-character VirusTotal API key
- Ensure there are no extra spaces or quotes around the key
- Confirm it's from the API Keys section in your VirusTotal account
After any configuration changes:
- Save the config file
- Restart Claude Desktop
- Check logs for API key status

Module Loading Issues

If you see ES module loading warnings:

For global installation: Use the configuration shown in Quick Start
For source installation: Include --experimental-modules in the args

How to add this MCP server to Cursor

There are two ways to add an MCP server to Cursor. The most common way is to add the server globally in the ~/.cursor/mcp.json file so that it is available in all of your projects.

If you only need the server in a single project, you can add it to the project instead by creating or adding it to the .cursor/mcp.json file.

Adding an MCP server to Cursor globally

To add a global MCP server go to Cursor Settings > MCP and click "Add new global MCP server".

When you click that button the ~/.cursor/mcp.json file will be opened and you can add your server like this:

{
    "mcpServers": {
        "cursor-rules-mcp": {
            "command": "npx",
            "args": [
                "-y",
                "cursor-rules-mcp"
            ]
        }
    }
}

Adding an MCP server to a project

To add an MCP server to a project you can create a new .cursor/mcp.json file or add it to the existing one. This will look exactly the same as the global MCP server example above.

How to use the MCP server

Once the server is installed, you might need to head back to Settings > MCP and click the refresh button.

The Cursor agent will then be able to see the available tools the added MCP server has available and will call them when it needs to.

You can also explictly ask the agent to use the tool by mentioning the tool name and describing what the function does.