io.github.BurtTheCoder/virustotal
编码与调试by burtthecoder
用于查询 VirusTotal API 的 MCP 服务器,提供全面的安全分析、检测结果与情报检索能力。
把 VirusTotal 查询直接接入 MCP 工作流,快速拿到安全分析、检测结果和威胁情报,排查可疑文件或域名更省事。
什么是 io.github.BurtTheCoder/virustotal?
用于查询 VirusTotal API 的 MCP 服务器,提供全面的安全分析、检测结果与情报检索能力。
README
VirusTotal MCP Server
A Model Context Protocol (MCP) server for querying the VirusTotal API. This server provides comprehensive security analysis tools with automatic relationship data fetching. It integrates seamlessly with MCP-compatible applications like Claude Desktop.
Quick Start (Recommended)
Claude Code
claude mcp add --transport stdio --env VIRUSTOTAL_API_KEY=your-key virustotal -- npx -y @burtthecoder/mcp-virustotal
Codex CLI
codex mcp add virustotal --env VIRUSTOTAL_API_KEY=your-key -- npx -y @burtthecoder/mcp-virustotal
Gemini CLI
gemini mcp add -e VIRUSTOTAL_API_KEY=your-key virustotal npx -y @burtthecoder/mcp-virustotal
Installing via Smithery
To install VirusTotal Server for Claude Desktop automatically via Smithery:
npx -y @smithery/cli install @burtthecoder/mcp-virustotal --client claude
Installing Manually
- Install the server globally via npm:
npm install -g @burtthecoder/mcp-virustotal
- Add to your Claude Desktop configuration file:
{
"mcpServers": {
"virustotal": {
"command": "mcp-virustotal",
"env": {
"VIRUSTOTAL_API_KEY": "your-virustotal-api-key"
}
}
}
}
Configuration file location:
- macOS:
~/Library/Application Support/Claude/claude_desktop_config.json - Windows:
%APPDATA%\Claude\claude_desktop_config.json
- Restart Claude Desktop
Using with VS Code
To use this MCP server in VS Code with GitHub Copilot:
- Install the server globally via npm:
npm install -g @burtthecoder/mcp-virustotal
-
Create or update your VS Code MCP configuration file at:
- macOS/Linux:
~/.vscode/mcp.json - Windows:
%USERPROFILE%\.vscode\mcp.json
- macOS/Linux:
-
Add the following configuration:
{
"servers": {
"virustotal": {
"command": "mcp-virustotal",
"env": {
"VIRUSTOTAL_API_KEY": "your-virustotal-api-key"
}
}
}
}
- Reload VS Code to activate the MCP server
You can then use the VirusTotal tools through GitHub Copilot in VS Code by referencing the available tools in your prompts.
Alternative Setup (From Source)
If you prefer to run from source or need to modify the code:
- Clone and build:
git clone <repository_url>
cd mcp-virustotal
npm install
npm run build
- Add to your Claude Desktop configuration:
{
"mcpServers": {
"virustotal": {
"command": "node",
"args": ["/absolute/path/to/mcp-virustotal/build/index.js"],
"env": {
"VIRUSTOTAL_API_KEY": "your-virustotal-api-key"
}
}
}
}
HTTP Streaming Transport
The server supports HTTP streaming transport in addition to the default stdio transport. This is useful for running the server as a standalone HTTP service that multiple clients can connect to.
Running in HTTP Streaming Mode
Set the MCP_TRANSPORT environment variable to httpStream:
MCP_TRANSPORT=httpStream MCP_PORT=3000 VIRUSTOTAL_API_KEY=your-key node build/index.js
Environment Variables
| Variable | Default | Description |
|---|---|---|
VIRUSTOTAL_API_KEY | (required) | Your VirusTotal API key |
MCP_TRANSPORT | stdio | Transport mode: stdio or httpStream |
MCP_PORT | 3000 | HTTP server port (only for httpStream) |
MCP_ENDPOINT | /mcp | HTTP endpoint path (only for httpStream) |
Docker with HTTP Streaming
docker build -t mcp-virustotal .
docker run -p 3000:3000 \
-e VIRUSTOTAL_API_KEY=your-key \
-e MCP_TRANSPORT=httpStream \
mcp-virustotal
The server exposes a health check endpoint at /health when running in HTTP streaming mode.
Features
- Comprehensive Analysis Reports: Each analysis tool automatically fetches relevant relationship data along with the basic report using VirusTotal's
?relationships=query, batched to minimize API calls - URL Analysis: Cached-report-first lookups with automatic fallback to scanning, plus contacted domains, downloaded files, and threat actors
- File Analysis: Detailed analysis of file hashes including behaviors, dropped files, and network connections
- IP Analysis: Security reports with historical data, resolutions, and related threats
- Domain Analysis: DNS information, WHOIS data, SSL certificates, and subdomains
- Detailed Relationship Analysis: Dedicated tools for querying specific types of relationships with pagination support
- Corpus Search: Free-form search across files, URLs, domains, IPs, and comments, including VTI-style modifier syntax (
type:peexe positives:5+) - Sandbox Behaviour Summary: Cross-sandbox merged view of processes, files, registry, network, MITRE ATT&CK, IDS alerts, and signature matches
- Threat Collections: Read APT, malware-family, campaign, and intel-report objects referenced from any report's relationships
- Rich Formatting: Clear categorization and presentation of analysis results and relationship data
Tools
Report Tools (with Automatic Relationship Fetching)
1. URL Report Tool
- Name:
get_url_report - Description: Get a comprehensive URL analysis report including security scan results and key relationships (communicating files, contacted domains/IPs, downloaded files, redirects, threat actors). Returns the cached VirusTotal report when available; only submits the URL for scanning and polls for completion on a cache miss
- Parameters:
url(required): The URL to analyze
2. File Report Tool
- Name:
get_file_report - Description: Get a comprehensive file analysis report using its hash (MD5/SHA-1/SHA-256). Includes detection results, file properties, and key relationships (behaviors, dropped files, network connections, embedded content, threat actors)
- Parameters:
hash(required): MD5, SHA-1 or SHA-256 hash of the file
3. IP Report Tool
- Name:
get_ip_report - Description: Get a comprehensive IP address analysis report including geolocation, reputation data, and key relationships (communicating files, historical certificates/WHOIS, resolutions)
- Parameters:
ip(required): IP address to analyze
4. Domain Report Tool
- Name:
get_domain_report - Description: Get a comprehensive domain analysis report including DNS records, WHOIS data, and key relationships (SSL certificates, subdomains, historical data)
- Parameters:
domain(required): Domain name to analyzerelationships(optional): Array of specific relationships to include in the report
Relationship Tools (for Detailed Analysis)
1. URL Relationship Tool
- Name:
get_url_relationship - Description: Query a specific relationship type for a URL with pagination support. Choose from 22 relationship types including analyses, communicating files, contacted domains/IPs, downloaded files, graphs, referrers, redirects, threat actors, collections, and votes
- Parameters:
url(required): The URL to get relationships forrelationship(required): Type of relationship to query- Available relationships: analyses, collections, comments, communicating_files, contacted_domains, contacted_ips, downloaded_files, embedded_js_files, graphs, last_serving_ip_address, network_location, referrer_files, referrer_urls, redirecting_urls, redirects_to, related_comments, related_references, related_threat_actors, submissions, urls_related_by_tracker_id, user_votes, votes
limit(optional, default: 10): Maximum number of related objects to retrieve (1-40)cursor(optional): Continuation cursor for pagination
2. File Relationship Tool
- Name:
get_file_relationship - Description: Query a specific relationship type for a file with pagination support. Choose from 40 relationship types including behaviors, network connections, dropped files, embedded content, execution chains, and threat actors
- Parameters:
hash(required): MD5, SHA-1 or SHA-256 hash of the filerelationship(required): Type of relationship to query- Available relationships: analyses, behaviours, bundled_files, carbonblack_children, carbonblack_parents, ciphered_bundled_files, ciphered_parents, collections, comments, compressed_parents, contacted_domains, contacted_ips, contacted_urls, dropped_files, email_attachments, email_parents, embedded_domains, embedded_ips, embedded_urls, execution_parents, graphs, itw_domains, itw_ips, itw_urls, memory_pattern_domains, memory_pattern_ips, memory_pattern_urls, overlay_children, overlay_parents, pcap_children, pcap_parents, pe_resource_children, pe_resource_parents, related_references, related_threat_actors, similar_files, submissions, screenshots, urls_for_embedded_js, votes
limit(optional, default: 10): Maximum number of related objects to retrieve (1-40)cursor(optional): Continuation cursor for pagination
3. IP Relationship Tool
- Name:
get_ip_relationship - Description: Query a specific relationship type for an IP address with pagination support. Choose from 15 relationship types including communicating files, historical SSL certificates, WHOIS records, resolutions, threat actors, and votes
- Parameters:
ip(required): IP address to analyzerelationship(required): Type of relationship to query- Available relationships: collections, comments, communicating_files, downloaded_files, graphs, historical_ssl_certificates, historical_whois, related_comments, related_references, related_threat_actors, referrer_files, resolutions, urls, user_votes, votes
limit(optional, default: 10): Maximum number of related objects to retrieve (1-40)cursor(optional): Continuation cursor for pagination
4. Domain Relationship Tool
- Name:
get_domain_relationship - Description: Query a specific relationship type for a domain with pagination support. Choose from 24 relationship types including SSL certificates, subdomains, historical data, DNS records, and collections
- Parameters:
domain(required): Domain name to analyzerelationship(required): Type of relationship to query- Available relationships: caa_records, cname_records, collections, comments, communicating_files, downloaded_files, graphs, historical_ssl_certificates, historical_whois, immediate_parent, mx_records, ns_records, parent, referrer_files, related_comments, related_references, related_threat_actors, resolutions, soa_records, siblings, subdomains, urls, user_votes, votes
limit(optional, default: 10): Maximum number of related objects to retrieve (1-40)cursor(optional): Continuation cursor for pagination
Search & Pivot Tools
1. Corpus Search
- Name:
search_vt - Description: Search the VirusTotal corpus for files, URLs, domains, IPs, or comments matching a query. Accepts plain IOCs (hash, URL, domain, IP), free text against comments, or VTI-style search modifiers
- Parameters:
query(required): Search query. Examples: a SHA-256 hash,evil.com,8.8.8.8,type:peexe size:90kb+ tag:signed positives:5+limit(optional, default: 20): Maximum number of results (1-300)cursor(optional): Continuation cursor for pagination
2. File Behaviour Summary
- Name:
get_file_behaviour_summary - Description: Get a consolidated sandbox behaviour summary for a file, merged across every sandbox that analyzed it. Returns processes, files, registry, network activity, DNS lookups, MITRE ATT&CK techniques, IDS alerts, and signature matches in a single view — far more useful than iterating individual behaviour reports
- Parameters:
hash(required): MD5, SHA-1 or SHA-256 hash of the file
3. Collection Lookup
- Name:
get_collection - Description: Retrieve a VirusTotal collection by ID. Collections represent threat actors, malware families, campaigns, intel reports, and curated IOC sets — often referenced from the
related_threat_actorsandcollectionsrelationships on other tools. Optionally include relationships to fetch member IOCs in the same call - Parameters:
id(required): Collection ID (e.g.threat-actor--<uuid>,malware-family--<id>)relationships(optional): Array of relationship names to include- Available relationships: autogenerated_graphs, comments, domains, files, ip_addresses, owner, references, related_collections, related_references, threat_actors, urls
Requirements
- Node.js (v20 or later)
- A valid VirusTotal API Key
Troubleshooting
API Key Issues
If you see "Wrong API key" errors:
- Check the log file at
/tmp/mcp-virustotal-server.log(on macOS) for API key status - Verify your API key:
- Should be a valid VirusTotal API key (usually 64 characters)
- No extra spaces or quotes around the key
- Must be from the API Keys section in your VirusTotal account
- After any configuration changes:
- Save the config file
- Restart Claude Desktop
- Check logs for new API key status
Development
To run in development mode with hot reloading:
npm run dev
Testing
Unit tests
Run the formatter test suite (no API key, no network):
npm test
Live smoke test
Exercise all 11 tools end-to-end against the real VirusTotal API:
VIRUSTOTAL_API_KEY=your-key npm run smoke
The smoke test paces calls at 20 s to stay under the 4-requests-per-minute public-tier rate limit. It is not compatible with heavily reduced free tiers (e.g. 1 lookup/day) — for those, run a single tool by editing scripts/smoke-test.mjs and pick the one you want to verify.
Error Handling
The server includes comprehensive error handling for:
- Invalid API keys
- Rate limiting
- Network errors
- Invalid input parameters
- Invalid hash formats
- Invalid IP formats
- Invalid URL formats
- Invalid relationship types
- Pagination errors
Version History
- v1.0.0: Initial release with core functionality
- v1.1.0: Added relationship analysis tools for URLs, files, and IP addresses
- v1.2.0: Added improved error handling and logging
- v1.3.0: Added pagination support for relationship queries
- v1.4.0: Added automatic relationship fetching in report tools and domain analysis support
- v1.5.0: Migrated to FastMCP framework with HTTP streaming transport support
- v1.6.0: Added
search_vt,get_file_behaviour_summary,get_collection, andget_domain_relationshiptools; synced relationship lists with current VirusTotal v3 docs (drops removedclues, addscollections/votes/user_votes/embedded_js_files/urls_related_by_tracker_idwhere applicable);get_url_reportnow returns the cached report when available instead of re-scanning on every call; report tools use batched?relationships=queries for dramatically fewer API calls
Contributing
- Fork the repository
- Create a feature branch (
git checkout -b feature/amazing-feature) - Commit your changes (
git commit -m 'Add amazing feature') - Push to the branch (
git push origin feature/amazing-feature) - Open a Pull Request
License
This project is licensed under the MIT License - see the LICENSE file for details.
常见问题
io.github.BurtTheCoder/virustotal 是什么?
用于查询 VirusTotal API 的 MCP 服务器,提供全面的安全分析、检测结果与情报检索能力。
相关 Skills
前端设计
by anthropics
面向组件、页面、海报和 Web 应用开发,按鲜明视觉方向生成可直接落地的前端代码与高质感 UI,适合做 landing page、Dashboard 或美化现有界面,避开千篇一律的 AI 审美。
✎ 想把页面做得既能上线又有设计感,就用前端设计:组件到整站都能产出,难得的是能避开千篇一律的 AI 味。
网页应用测试
by anthropics
用 Playwright 为本地 Web 应用编写自动化测试,支持启动开发服务器、校验前端交互、排查 UI 异常、抓取截图与浏览器日志,适合调试动态页面和回归验证。
✎ 借助 Playwright 一站式验证本地 Web 应用前端功能,调 UI 时还能同步查看日志和截图,定位问题更快。
网页构建器
by anthropics
面向复杂 claude.ai HTML artifact 开发,快速初始化 React + Tailwind CSS + shadcn/ui 项目并打包为单文件 HTML,适合需要状态管理、路由或多组件交互的页面。
✎ 在 claude.ai 里做复杂网页 Artifact 很省心,多组件、状态和路由都能顺手搭起来,React、Tailwind 与 shadcn/ui 组合效率高、成品也更精致。
相关 MCP Server
GitHub
编辑精选by GitHub
GitHub 是 MCP 官方参考服务器,让 Claude 直接读写你的代码仓库和 Issues。
✎ 这个参考服务器解决了开发者想让 AI 安全访问 GitHub 数据的问题,适合需要自动化代码审查或 Issue 管理的团队。但注意它只是参考实现,生产环境得自己加固安全。
Context7 文档查询
编辑精选by Context7
Context7 是实时拉取最新文档和代码示例的智能助手,让你告别过时资料。
✎ 它能解决开发者查找文档时信息滞后的问题,特别适合快速上手新库或跟进更新。不过,依赖外部源可能导致偶尔的数据延迟,建议结合官方文档使用。
by tldraw
tldraw 是让 AI 助手直接在无限画布上绘图和协作的 MCP 服务器。
✎ 这解决了 AI 只能输出文本、无法视觉化协作的痛点——想象让 Claude 帮你画流程图或白板讨论。最适合需要快速原型设计或头脑风暴的开发者。不过,目前它只是个基础连接器,你得自己搭建画布应用才能发挥全部潜力。