Do I need a paid VirusTotal subscription?

No. The skill works on the free public API tier. A free key is rate-limited to a handful of requests per minute, which is fine for interactive triage. A paid VirusTotal Enterprise key simply raises those limits.

What indicator types can I look up?

IPv4 and IPv6 addresses, domains, URLs, and file hashes in MD5, SHA-1 or SHA-256 form. The skill detects the type from the value you give it, so you do not need to specify which is which.

What happens if I have not set a VirusTotal API key?

The skill reports that no key is configured and returns gracefully rather than erroring out. You can add a key at any time through the setup step and re-run the lookup.

CTI Skill · Lookups

VirusTotal Lookup.

/lookup-virustotal

The VirusTotal API lookup skill lets an analyst check an IP, domain, file hash or URL against VirusTotal's reputation database without leaving their AI coding agent. Ask it about an indicator in plain language and it returns the detection ratio, an overall verdict, the community score and the findings that matter, so you can triage an IOC in seconds rather than copying values into a browser tab.

Get the free pack on GitHub →Or join the free tier waitlist

What it does.

It wraps the VirusTotal v3 API as a zero-dependency skill your agent can call. Hand it any IP, domain, SHA-256, MD5 or URL and it queries VirusTotal, parses the response and hands back a clean summary: how many engines flagged the indicator, the consensus verdict, the community reputation score and the most relevant detection names. It runs on the free public API tier, so you can start using it without a paid subscription.

When to use it.

Reach for it during first-pass triage of any unknown indicator: an IP in a firewall log, a suspicious attachment hash, a domain pulled from a phishing email. It is the default first stop when you want a quick reputation read before deciding whether an indicator warrants deeper investigation, and it is chained automatically by the IP, domain, hash and URL investigation workflows in the pack.

What you get back.

A structured summary rather than raw JSON: the detection ratio (engines flagging it versus total), a plain verdict, the community score, first and last submission dates where available, and the standout detection labels. If no VirusTotal key is configured the skill notes the gap and continues rather than crashing, so a missing key degrades gracefully instead of breaking your run.

How it fits your workflow.

VirusTotal is usually the broadest single source for a quick reputation check, so this skill sits at the front of most enrichment flows. Pair it with the IOC enrichment workflow to fan one indicator out across several sources, then feed the consolidated result into decay scoring or a sharing platform. Because it runs inside your agent, the lookup happens in the same place you are already writing notes and queries.

Keep going.

Frequently Asked Questions.

Ready to do more with less?

Request a demo or start your free trial today. Get instant access to AI-powered threat intelligence tailored to your organisation.