home / skills / composiohq / awesome-claude-skills / virustotal-automation

virustotal-automation skill

safe

/virustotal-automation

This skill automates Virustotal tasks via Rube MCP, discovering current tool schemas before execution to ensure reliable, up-to-date workflows.

npx playbooks add skill composiohq/awesome-claude-skills --skill virustotal-automation

Review the files below or copy the command above to add this skill to your agents.

Files (1)

SKILL.md

2.9 KB

---
name: virustotal-automation
description: "Automate Virustotal tasks via Rube MCP (Composio). Always search tools first for current schemas."
requires:
  mcp: [rube]
---

# Virustotal Automation via Rube MCP

Automate Virustotal operations through Composio's Virustotal toolkit via Rube MCP.

**Toolkit docs**: [composio.dev/toolkits/virustotal](https://composio.dev/toolkits/virustotal)

## Prerequisites

- Rube MCP must be connected (RUBE_SEARCH_TOOLS available)
- Active Virustotal connection via `RUBE_MANAGE_CONNECTIONS` with toolkit `virustotal`
- Always call `RUBE_SEARCH_TOOLS` first to get current tool schemas

## Setup

**Get Rube MCP**: Add `https://rube.app/mcp` as an MCP server in your client configuration. No API keys needed — just add the endpoint and it works.

1. Verify Rube MCP is available by confirming `RUBE_SEARCH_TOOLS` responds
2. Call `RUBE_MANAGE_CONNECTIONS` with toolkit `virustotal`
3. If connection is not ACTIVE, follow the returned auth link to complete setup
4. Confirm connection status shows ACTIVE before running any workflows

## Tool Discovery

Always discover available tools before executing workflows:

```
RUBE_SEARCH_TOOLS
queries: [{use_case: "Virustotal operations", known_fields: ""}]
session: {generate_id: true}
```

This returns available tool slugs, input schemas, recommended execution plans, and known pitfalls.

## Core Workflow Pattern

### Step 1: Discover Available Tools

```
RUBE_SEARCH_TOOLS
queries: [{use_case: "your specific Virustotal task"}]
session: {id: "existing_session_id"}
```

### Step 2: Check Connection

```
RUBE_MANAGE_CONNECTIONS
toolkits: ["virustotal"]
session_id: "your_session_id"
```

### Step 3: Execute Tools

```
RUBE_MULTI_EXECUTE_TOOL
tools: [{
  tool_slug: "TOOL_SLUG_FROM_SEARCH",
  arguments: {/* schema-compliant args from search results */}
}]
memory: {}
session_id: "your_session_id"
```

## Known Pitfalls

- **Always search first**: Tool schemas change. Never hardcode tool slugs or arguments without calling `RUBE_SEARCH_TOOLS`
- **Check connection**: Verify `RUBE_MANAGE_CONNECTIONS` shows ACTIVE status before executing tools
- **Schema compliance**: Use exact field names and types from the search results
- **Memory parameter**: Always include `memory` in `RUBE_MULTI_EXECUTE_TOOL` calls, even if empty (`{}`)
- **Session reuse**: Reuse session IDs within a workflow. Generate new ones for new workflows
- **Pagination**: Check responses for pagination tokens and continue fetching until complete

## Quick Reference

| Operation | Approach |
|-----------|----------|
| Find tools | `RUBE_SEARCH_TOOLS` with Virustotal-specific use case |
| Connect | `RUBE_MANAGE_CONNECTIONS` with toolkit `virustotal` |
| Execute | `RUBE_MULTI_EXECUTE_TOOL` with discovered tool slugs |
| Bulk ops | `RUBE_REMOTE_WORKBENCH` with `run_composio_tool()` |
| Full schema | `RUBE_GET_TOOL_SCHEMAS` for tools with `schemaRef` |

---
*Powered by [Composio](https://composio.dev)*

Overview

This skill automates VirusTotal tasks by orchestrating Composio’s Virustotal toolkit through Rube MCP. It provides a repeatable, API-driven pattern for discovering tools, validating connections, and executing VirusTotal operations at scale. The skill emphasizes dynamic schema discovery and reliable session management to avoid hardcoded behavior.

How this skill works

The skill first calls RUBE_SEARCH_TOOLS to fetch current tool slugs, input schemas, and recommended execution plans. It then validates an active VirusTotal connection via RUBE_MANAGE_CONNECTIONS and runs one or more tools using RUBE_MULTI_EXECUTE_TOOL (including a memory object and session_id). For bulk or complex runs, it supports RUBE_REMOTE_WORKBENCH and retrieving full schemas with RUBE_GET_TOOL_SCHEMAS.

When to use it

Automating malware or URL scans across many samples using VirusTotal APIs.
Orchestrating multi-step analysis workflows that require dynamic tool discovery.
Building repeatable scanning pipelines where tool schemas may change.
Running bulk, scheduled, or batch VirusTotal operations via a remote workbench.
Integrating VirusTotal lookups into larger agent workflows that use Rube MCP.

Best practices

Always call RUBE_SEARCH_TOOLS at the start of a workflow to get current tool slugs and input schemas.
Verify RUBE_MANAGE_CONNECTIONS shows ACTIVE for the virustotal toolkit before executing tools.
Include a memory object (even an empty {}) in RUBE_MULTI_EXECUTE_TOOL calls and reuse session_id across the workflow.
Respect exact field names and types from the returned schema; do not hardcode argument shapes.
Handle pagination tokens in responses and iterate until results are complete.

Example use cases

Scan a list of file hashes: discover the hash-scanning tool, confirm connection, then multi-execute with the hash list.
Bulk URL reputation checks: use RUBE_REMOTE_WORKBENCH to run run_composio_tool() for thousands of URLs.
Ad-hoc schema inspection: call RUBE_SEARCH_TOOLS and RUBE_GET_TOOL_SCHEMAS to display current input requirements before coding.
Automated triage pipeline: chain multiple Virustotal tools within one session to enrich, classify, and export findings.

FAQ

Do I need API keys to use Rube MCP with this skill?

No API keys are required to add the Rube MCP server endpoint; you must, however, create and activate a VirusTotal connection via RUBE_MANAGE_CONNECTIONS as instructed.

What if a tool slug or schema changes?

Always re-run RUBE_SEARCH_TOOLS before executing. Use the returned schema fields and types exactly to avoid execution errors.

Can I run bulk jobs?

Yes. Use RUBE_REMOTE_WORKBENCH with run_composio_tool() for high-volume or long-running bulk operations.