playbooks

home / mcp / virustotal mcp server

VirusTotal MCP Server

A Model Context Protocol (MCP) server for querying the VirusTotal API.

Installation
Add the following to your MCP client configuration file.

Configuration

View docs
{
  "mcpServers": {
    "burtthecoder-mcp-virustotal": {
      "command": "mcp-virustotal",
      "args": [],
      "env": {
        "VIRUSTOTAL_API_KEY": "your-virustotal-api-key"
      }
    }
  }
}

VirusTotal MCP Server lets you query the VirusTotal API from MCP-compatible clients, delivering comprehensive security analysis with automatic relationship data fetching so you can correlate reports across URLs, files, IPs, and domains in a single request.

How to use

You connect an MCP client to the VirusTotal MCP Server and use the dedicated report and relationship tools to retrieve in-depth analyses. Start by configuring your client to point at either a local MCP server or the built-from-source runtime. Use the URL-, file-, IP-, and domain-based report tools to pull complete security insights, including related relationships such as contacted domains, downloaded files, threat actors, and SSL histories. When you need specific relationship data, switch to the corresponding relationship tool and paginate through results as needed.

How to install

Prerequisites: Node.js v18 or later, and a VirusTotal API key.

Install via Smithery (automatic, recommended)

npx -y @smithery/cli install @burtthecoder/mcp-virustotal --client claude

Manual installation (global server)

npm install -g @burtthecoder/mcp-virustotal

Configure Claude Desktop to use the local MCP server (stdio)

{
  "mcpServers": {
    "virustotal": {
      "command": "mcp-virustotal",
      "env": {
        "VIRUSTOTAL_API_KEY": "your-virustotal-api-key"
      }
    }
  }
}

Alternative setup from source

If you prefer to run from source or need to modify the code, follow this build-and-run path.

Clone, install, and build the project.

git clone <repository_url>
cd mcp-virustotal
npm install
npm run build

Configure Claude Desktop to run the built index directly via Node with experimental modules enabled.

{
  "mcpServers": {
    "virustotal": {
      "command": "node",
      "args": ["--experimental-modules", "/absolute/path/to/mcp-virustotal/build/index.js"],
      "env": {
        "VIRUSTOTAL_API_KEY": "your-virustotal-api-key"
      }
    }
  }
}

Available tools

get_url_report

Get a comprehensive URL analysis report including security scan results and key relationships (communicating files, contacted domains/IPs, downloaded files, redirects, threat actors)

get_file_report

Get a comprehensive file analysis report by hash (MD5/SHA-1/SHA-256) including detections, properties, and relationships (behaviors, dropped files, network connections, embedded content, threat actors)

get_ip_report

Get a comprehensive IP address analysis report including geolocation, reputation data, and key relationships (communicating files, historical certificates/WHOIS, resolutions)

get_domain_report

Get a comprehensive domain analysis report including DNS records, WHOIS data, and key relationships (SSL certificates, subdomains, historical data)

get_url_relationship

Query a specific URL relationship type with pagination support (analyses, communicating_files, contacted_domains, contacted_ips, downloaded_files, graphs, redirects, threat_actors, etc.)

get_file_relationship

Query a specific file relationship type with pagination support (behaviors, network connections, dropped_files, embedded_content, threat_actors, etc.)

get_ip_relationship

Query a specific IP relationship type with pagination support (communicating_files, historical_ssl_certificates, historical_whois, resolutions, threat_actors, etc.)

get_domain_relationship

Query a specific domain relationship type with pagination support (SSL certificates, subdomains, historical data, DNS records)