A Model Context Protocol (MCP) server for querying the VirusTotal API.
https://github.com/BurtTheCoder/mcp-virustotalStop copying security data between browser tabs. This MCP server puts VirusTotal's comprehensive threat analysis directly into your Claude conversations, complete with automatic relationship data that goes far beyond what you get from the web interface.
You know the routine: suspicious file hash in Claude, copy it, open VirusTotal, paste, analyze, copy results back, lose context. Now just ask Claude to analyze it directly. The server automatically pulls relationship data—behavioral analysis, network connections, dropped files, threat actor connections—giving you a complete security picture in one request.
# One command setup via Smithery
npx -y @smithery/cli install @burtthecoder/mcp-virustotal --client claude
Automatic Relationship Enrichment: While VirusTotal's web interface shows basic scan results, this server automatically fetches the relationship data that matters. URL analysis includes contacted domains, downloaded files, and threat actors. File analysis pulls behavioral data, network connections, and execution chains. You get comprehensive intelligence, not just detection scores.
Deep Relationship Analysis: Need to trace malware families or analyze attack patterns? The dedicated relationship tools support 41 different relationship types for files, 21 for domains, plus full pagination. Map out entire attack infrastructures without leaving your conversation.
Intelligence in Context: Claude can now correlate security data across multiple indicators, suggest investigation paths, and help connect the dots between different pieces of threat intelligence—all while maintaining conversation context.
Incident Response: Drop a suspicious URL into Claude and immediately get security verdicts, infrastructure analysis, and related threat intelligence. Ask follow-up questions about attack patterns or similar campaigns without manual research.
Threat Hunting: Analyze file hashes, domains, and IPs as part of broader investigations. Claude can help correlate findings, suggest additional indicators to check, and build threat profiles based on the comprehensive relationship data.
Security Research: Investigate malware families by analyzing behavioral relationships, execution chains, and network patterns. The pagination support lets you deep-dive into complex threat infrastructures.
Daily Security Operations: Quick reputation checks on domains, IPs, and files during email analysis, web filtering decisions, or general security reviews—all without interrupting your workflow.
Core Security Reports:
get_url_report: Full URL analysis with contacted infrastructure and threat actorsget_file_report: Comprehensive file analysis including behaviors and network activityget_ip_report: IP reputation with historical data and related threatsget_domain_report: Domain intelligence with SSL, DNS, and subdomain analysisAdvanced Relationship Analysis:
All with pagination support for complex investigations.
Automatic Installation:
npx -y @smithery/cli install @burtthecoder/mcp-virustotal --client claude
Manual Setup:
npm install -g @burtthecoder/mcp-virustotal
Add to your Claude config with your VirusTotal API key:
{
"mcpServers": {
"virustotal": {
"command": "mcp-virustotal",
"env": {
"VIRUSTOTAL_API_KEY": "your-api-key"
}
}
}
}
Your threat intelligence workflow just got streamlined. Instead of juggling multiple tools and losing context between analysis steps, you now have VirusTotal's complete dataset integrated with Claude's analytical capabilities. Ask questions about attack patterns, get explanations of threat behaviors, and build comprehensive security assessments—all in natural language.
The automatic relationship fetching means you're not missing critical intelligence that's buried in VirusTotal's relationship endpoints. Every analysis gives you the full context needed for informed security decisions.
Ready to analyze that suspicious indicator without leaving Claude? Your security investigations just got a serious upgrade.