# How to integrate Virustotal MCP with Claude Agent SDK ```json { "title": "How to integrate Virustotal MCP with Claude Agent SDK", "toolkit": "Virustotal", "toolkit_slug": "virustotal", "framework": "Claude Agent SDK", "framework_slug": "claude-agents-sdk", "url": "https://composio.dev/toolkits/virustotal/framework/claude-agents-sdk", "markdown_url": "https://composio.dev/toolkits/virustotal/framework/claude-agents-sdk.md", "updated_at": "2026-05-12T10:29:51.341Z" } ``` ## Introduction This guide walks you through connecting Virustotal to the Claude Agent SDK using the Composio tool router. By the end, you'll have a working Virustotal agent that can scan this file hash for malware, get analysis report for suspicious url, retrieve domain reputation details through natural language commands. This guide will help you understand how to give your Claude Agent SDK agent real control over a Virustotal account through Composio's Virustotal MCP server. Before we dive in, let's take a quick look at the key ideas and tools involved. ## Also integrate Virustotal with - [ChatGPT](https://composio.dev/toolkits/virustotal/framework/chatgpt) - [OpenAI Agents SDK](https://composio.dev/toolkits/virustotal/framework/open-ai-agents-sdk) - [Claude Code](https://composio.dev/toolkits/virustotal/framework/claude-code) - [Claude Cowork](https://composio.dev/toolkits/virustotal/framework/claude-cowork) - [Codex](https://composio.dev/toolkits/virustotal/framework/codex) - [Cursor](https://composio.dev/toolkits/virustotal/framework/cursor) - [VS Code](https://composio.dev/toolkits/virustotal/framework/vscode) - [OpenCode](https://composio.dev/toolkits/virustotal/framework/opencode) - [OpenClaw](https://composio.dev/toolkits/virustotal/framework/openclaw) - [Hermes](https://composio.dev/toolkits/virustotal/framework/hermes-agent) - [CLI](https://composio.dev/toolkits/virustotal/framework/cli) - [Google ADK](https://composio.dev/toolkits/virustotal/framework/google-adk) - [LangChain](https://composio.dev/toolkits/virustotal/framework/langchain) - [Vercel AI SDK](https://composio.dev/toolkits/virustotal/framework/ai-sdk) - [Mastra AI](https://composio.dev/toolkits/virustotal/framework/mastra-ai) - [LlamaIndex](https://composio.dev/toolkits/virustotal/framework/llama-index) - [CrewAI](https://composio.dev/toolkits/virustotal/framework/crew-ai) ## TL;DR Here's what you'll learn: - Get and set up your Claude/Anthropic and Composio API keys - Install the necessary dependencies - Initialize Composio and create a Tool Router session for Virustotal - Configure an AI agent that can use Virustotal as a tool - Run a live chat session where you can ask the agent to perform Virustotal operations ## What is Claude Agent SDK? The Claude Agent SDK is Anthropic's official framework for building AI agents powered by Claude. It provides a streamlined interface for creating agents with MCP tool support and conversation management. Key features include: - Native MCP Support: Built-in support for Model Context Protocol servers - Permission Modes: Control tool execution permissions - Streaming Responses: Real-time response streaming for interactive applications - Context Manager: Clean async context management for sessions ## What is the Virustotal MCP server, and what's possible with it? The Virustotal MCP server is an implementation of the Model Context Protocol that connects your AI agent and assistants like Claude, Cursor, etc directly to your Virustotal account. It provides structured and secure access to malicious file, URL, domain, and IP analysis, so your agent can perform actions like scanning files, retrieving threat reports, investigating domains, and posting comments or verdicts on your behalf. - Comprehensive threat analysis retrieval: Instantly fetch detailed reports on files, URLs, domains, or IP addresses to understand their security reputation and scan results from dozens of antivirus engines. - Relationship and metadata insights: Have your agent explore related entities—such as domains linked to a file, or files associated with an IP address—along with receiving broad metadata about available VirusTotal operations. - Automated commenting and feedback: Use your agent to post contextual comments on any analyzed resource, making collaboration and documentation of findings much easier. - Community-driven voting: Submit harmless or malicious verdicts on files and URLs after reviewing analysis, helping to crowdsource threat intelligence and improve detection accuracy. - Latest user comment retrieval: Let your agent pull up the most recent comments on a file, URL, domain, or IP address to quickly access community feedback and insights. ## Supported Tools | Tool slug | Name | Description | |---|---|---| | `VIRUSTOTAL_ADD_COMMENT` | Add VirusTotal Comment | Tool to add a comment to a VirusTotal resource (file, URL, domain, or IP address). Use after analyzing a resource to leave contextual feedback. Provide exactly one identifier per call. | | `VIRUSTOTAL_ADD_VOTE` | Add Vote | Tool to add a vote (harmless/malicious) to a VirusTotal resource. Use after reviewing analysis results to submit your verdict. | | `VIRUSTOTAL_GET_ANALYSIS` | Get Analysis Report | Tool to retrieve the analysis report of a file or URL submission. Use after obtaining an analysis ID to fetch its detailed report. Analysis results may be incomplete immediately after submission; poll until the report status is 'completed' before treating results as final. | | `VIRUSTOTAL_GET_COMMENTS` | Get comments | Tool to retrieve the latest comments on a VirusTotal resource. Use when you need to review user-generated comments for a file, URL, domain, or IP after obtaining its identifier. | | `VIRUSTOTAL_GET_DOMAIN_RELATIONSHIPS` | Get Domain Relationships | Tool to retrieve relationship objects for a given domain. Use when you have a domain and need to explore its related entities. | | `VIRUSTOTAL_GET_DOMAIN_REPORT` | Get Domain Report | Tool to retrieve the analysis report of a domain. Use when you need detailed insight on a domain's reputation and analysis stats. No malicious signals on obscure or low-traffic domains may indicate limited analysis history rather than safety — treat sparse results as 'unknown', not 'safe'. Covers external OSINT only (reputation, malware, SSL posture); cannot analyze internal/private assets. | | `VIRUSTOTAL_GET_FILE_REPORT` | Get File Report | Tool to retrieve the analysis report of a file. Use when you have a file's hash and need detailed scan metadata. Recently submitted files may return partial results; retry after a short delay before treating the report as final. | | `VIRUSTOTAL_GET_IP_ADDRESS_RELATIONSHIPS` | Get IP Address Relationships | Tool to retrieve objects related to a specific IP address by relationship type. Use when you have an IP and need to explore connected files, URLs, or other entities. | | `VIRUSTOTAL_GET_IP_ADDRESS_REPORT` | Get IP Address Report | Tool to retrieve the analysis report of an IP address. Use when you need detailed insight on an IP's reputation, ASN, country, and analysis stats. Low or zero detections indicate unknown risk, not safety — treat sparse data accordingly. Provides external OSINT only; insufficient as standalone compliance evidence. | | `VIRUSTOTAL_GET_METADATA` | Get VirusTotal Metadata | Tool to retrieve VirusTotal metadata. Use when you need information about available privileges, relationships between resources (like files, domains, IPs, URLs), and supported antivirus engines. | | `VIRUSTOTAL_GET_URL_REPORT` | Get URL Report | Tool to retrieve the analysis report of a URL. Use when you have a URL identifier (base64-url without padding) and need detailed scan results, reputation, and metadata. Results may be incomplete immediately after submission; retry with short delays if scan engines are still processing before treating the report as final. | | `VIRUSTOTAL_GET_VOTES` | Get Votes | Tool to retrieve votes on files, URLs, domains, or IP addresses. Use when you need to view community votes for a given object. | | `VIRUSTOTAL_RESCAN_FILE` | Rescan File | Tool to re-analyze a previously submitted file. Use when you need updated analysis results after an initial scan. | | `VIRUSTOTAL_SCAN_URL` | Scan URL | Tool to submit a URL for scanning. Use when you have a URL and need to submit it to VirusTotal to obtain an analysis ID for later retrieval. The returned analysis ID is preliminary — scanning engines may not have finished. Poll VIRUSTOTAL_GET_URL_REPORT with the ID using short delays to retrieve complete results. | | `VIRUSTOTAL_SEARCH` | Search VirusTotal | Tool to search for objects in the VirusTotal database. Use when locating files, URLs, domains, IPs, or comments matching a query. Supports pagination with limit and cursor. | | `VIRUSTOTAL_UPLOAD_FILE` | Upload File | Tool to upload a file for scanning. Use when you have binary file content ready to submit for VirusTotal analysis. | ## Supported Triggers None listed. ## Creating MCP Server - Stand-alone vs Composio SDK The Virustotal MCP server is an implementation of the Model Context Protocol that connects your AI agent to Virustotal. It provides structured and secure access so your agent can perform Virustotal operations on your behalf through a secure, permission-based interface. With Composio's managed implementation, you don't have to create your own developer app. For production, if you're building an end product, we recommend using your own credentials. The managed server helps you prototype fast and go from 0-1 faster. ## Step-by-step Guide ### 1. Prerequisites Before starting, make sure you have: - Composio API Key and Claude/Anthropic API Key - Primary know-how of Claude Agents SDK - A Virustotal account - Some knowledge of Python ### 1. Getting API Keys for Claude/Anthropic and Composio Claude/Anthropic API Key - Go to the [Anthropic Console](https://console.anthropic.com/settings/organization/api-keys) and create an API key. You'll need credits to use the models. - Keep the API key safe. Composio API Key - Log in to the [Composio dashboard](https://dashboard.composio.dev?utm_source=toolkits&utm_medium=framework_docs). - Navigate to your API settings and generate a new API key. - Store this key securely as you'll need it for authentication. ### 2. Install dependencies No description provided. ```python pip install composio-anthropic claude-agent-sdk python-dotenv ``` ```typescript npm install @anthropic-ai/claude-agent-sdk @composio/core dotenv ``` ### 3. Set up environment variables Create a .env file in your project root. What's happening: - COMPOSIO_API_KEY authenticates with Composio - USER_ID identifies the user for session management - ANTHROPIC_API_KEY authenticates with Anthropic/Claude ```bash COMPOSIO_API_KEY=your_composio_api_key_here USER_ID=your_user_id_here ANTHROPIC_API_KEY=your_anthropic_api_key_here ``` ### 4. Import dependencies No description provided. ```python import asyncio from claude_agent_sdk import ClaudeSDKClient, ClaudeAgentOptions import os from composio import Composio from dotenv import load_dotenv load_dotenv() ``` ```typescript import 'dotenv/config'; import readline from 'node:readline'; import { Composio } from '@composio/core'; import { query, type Options } from "@anthropic-ai/claude-agent-sdk"; dotenv.config(); ``` ### 5. Create a Composio instance and Tool Router session No description provided. ```python async def chat_with_remote_mcp(): api_key = os.getenv("COMPOSIO_API_KEY") if not api_key: raise RuntimeError("COMPOSIO_API_KEY is not set") composio = Composio(api_key=api_key) # Create Tool Router session for Virustotal mcp_server = composio.create( user_id=os.getenv("USER_ID"), toolkits=["virustotal"] ) url = mcp_server.mcp.url if not url: raise ValueError("Session URL not found") ``` ```typescript async function chat() { const { COMPOSIO_API_KEY, USER_ID } = process.env; if (!COMPOSIO_API_KEY || !USER_ID) { throw new Error('COMPOSIO_API_KEY and USER_ID required in .env'); } const composio = new Composio({ apiKey: COMPOSIO_API_KEY }); // Create Tool Router session for Virustotal const session = await composio.create(USER_ID, { toolkits: ['virustotal'], }); const mcpUrl = session?.mcp.url; ``` ### 6. Configure Claude Agent with MCP No description provided. ```python # Configure remote MCP server for Claude options = ClaudeAgentOptions( permission_mode="bypassPermissions", mcp_servers={ "composio": { "type": "http", "url": url, "headers": { "x-api-key": os.getenv("COMPOSIO_API_KEY") } } }, system_prompt="You are a helpful assistant with access to Virustotal tools via Composio.", max_turns=10 ) ``` ```typescript const options: Options = { permissionMode: 'bypassPermissions', mcpServers: { composio: { type: 'http', url: mcpUrl, headers: { 'x-api-key': COMPOSIO_API_KEY } } }, systemPrompt: 'You are a helpful assistant with access to Virustotal tools via Composio.', maxTurns: 10, }; ``` ### 7. Create client and start chat loop No description provided. ```python # Create client with context manager async with ClaudeSDKClient(options=options) as client: print("\nChat started. Type 'exit' or 'quit' to end.\n") # Main chat loop while True: user_input = input("You: ").strip() if user_input.lower() in {"exit", "quit"}: print("Goodbye!") break # Send query await client.query(user_input) # Receive and print response print("Claude: ", end="", flush=True) async for message in client.receive_response(): if hasattr(message, "content"): for block in message.content: if hasattr(block, "text"): print(block.text, end="", flush=True) print() ``` ```typescript const rl = readline.createInterface({ input: process.stdin, output: process.stdout, prompt: 'You: ' }); console.log('\nChat started. Type "exit" to quit.\n'); let isProcessing = false; async function ask(prompt: string) { isProcessing = true; rl.pause(); process.stdout.write('Claude is thinking...'); const stream = query({ prompt, options }); let firstChunk = true; for await (const msg of stream) { const content = (msg as any).message?.content || (msg as any).content; if (Array.isArray(content)) { for (const block of content) { if (block.type === 'text' && block.text) { if (firstChunk) { process.stdout.write('\r\x1b[K'); process.stdout.write('Claude: '); firstChunk = false; } process.stdout.write(block.text); } } } } process.stdout.write('\n\n'); isProcessing = false; rl.resume(); rl.prompt(); } rl.on('line', async (line) => { if (isProcessing) return; const input = line.trim(); if (input === 'exit') { rl.close(); process.exit(0); } if (input) await ask(input); else rl.prompt(); }); await ask('What can you help me with?'); } ``` ### 8. Run the application No description provided. ```python if __name__ == "__main__": asyncio.run(chat_with_remote_mcp()) ``` ```typescript try { await chat(); } catch (error) { console.error(error); process.exit(1); } ``` ## Complete Code ```python import asyncio from claude_agent_sdk import ClaudeSDKClient, ClaudeAgentOptions import os from composio import Composio from dotenv import load_dotenv load_dotenv() async def chat_with_remote_mcp(): api_key = os.getenv("COMPOSIO_API_KEY") if not api_key: raise RuntimeError("COMPOSIO_API_KEY is not set") composio = Composio(api_key=api_key) # Create Tool Router session for Virustotal mcp_server = composio.create( user_id=os.getenv("USER_ID"), toolkits=["virustotal"] ) url = mcp_server.mcp.url if not url: raise ValueError("Session URL not found") # Configure remote MCP server for Claude options = ClaudeAgentOptions( permission_mode="bypassPermissions", mcp_servers={ "composio": { "type": "http", "url": url, "headers": { "x-api-key": os.getenv("COMPOSIO_API_KEY") } } }, system_prompt="You are a helpful assistant with access to Virustotal tools via Composio.", max_turns=10 ) # Create client with context manager async with ClaudeSDKClient(options=options) as client: print("\nChat started. Type 'exit' or 'quit' to end.\n") # Main chat loop while True: user_input = input("You: ").strip() if user_input.lower() in {"exit", "quit"}: print("Goodbye!") break # Send query await client.query(user_input) # Receive and print response print("Claude: ", end="", flush=True) async for message in client.receive_response(): if hasattr(message, "content"): for block in message.content: if hasattr(block, "text"): print(block.text, end="", flush=True) print() if __name__ == "__main__": asyncio.run(chat_with_remote_mcp()) ``` ```typescript import 'dotenv/config'; import readline from 'node:readline'; import { Composio } from '@composio/core'; import { query, type Options } from "@anthropic-ai/claude-agent-sdk"; async function chat() { const { COMPOSIO_API_KEY, USER_ID } = process.env; if (!COMPOSIO_API_KEY || !USER_ID) { throw new Error('COMPOSIO_API_KEY and USER_ID required in .env'); } const composio = new Composio({ apiKey: COMPOSIO_API_KEY }); const session = await composio.create(USER_ID, { toolkits: ['virustotal'] }); const mcp_url = session?.mcp.url; const options: Options = { permissionMode: 'bypassPermissions', mcpServers: { composio: { type: 'http', url: mcp_url, headers: { 'x-api-key': COMPOSIO_API_KEY } } }, systemPrompt: 'You are a helpful assistant with access to Virustotal tools via Composio.', maxTurns: 10, }; const rl = readline.createInterface({ input: process.stdin, output: process.stdout, prompt: 'You: ' }); console.log('\nChat started. Type "exit" to quit.\n'); let isProcessing = false; async function ask(prompt: string) { isProcessing = true; rl.pause(); process.stdout.write('Claude is thinking...'); const stream = query({ prompt, options }); let firstChunk = true; for await (const msg of stream) { const content = (msg as any).message?.content || (msg as any).content; if (Array.isArray(content)) { for (const block of content) { if (block.type === 'text' && block.text) { if (firstChunk) { process.stdout.write('\r\x1b[K'); process.stdout.write('Claude: '); firstChunk = false; } process.stdout.write(block.text); } } } } process.stdout.write('\n\n'); isProcessing = false; rl.resume(); rl.prompt(); } rl.on('line', async (line) => { if (isProcessing) return; const input = line.trim(); if (input === 'exit') { rl.close(); process.exit(0); } if (input) await ask(input); else rl.prompt(); }); await ask('What can you help me with?'); } try { await chat(); } catch (error) { console.error(error); process.exit(1); } ``` ## Conclusion You've successfully built a Claude Agent SDK agent that can interact with Virustotal through Composio's Tool Router. Key features: - Native MCP support through Claude's agent framework - Streaming responses for real-time interaction - Permission bypass for smooth automated workflows You can extend this by adding more toolkits, implementing custom business logic, or building a web interface around the agent. ## How to build Virustotal MCP Agent with another framework - [ChatGPT](https://composio.dev/toolkits/virustotal/framework/chatgpt) - [OpenAI Agents SDK](https://composio.dev/toolkits/virustotal/framework/open-ai-agents-sdk) - [Claude Code](https://composio.dev/toolkits/virustotal/framework/claude-code) - [Claude Cowork](https://composio.dev/toolkits/virustotal/framework/claude-cowork) - [Codex](https://composio.dev/toolkits/virustotal/framework/codex) - [Cursor](https://composio.dev/toolkits/virustotal/framework/cursor) - [VS Code](https://composio.dev/toolkits/virustotal/framework/vscode) - [OpenCode](https://composio.dev/toolkits/virustotal/framework/opencode) - [OpenClaw](https://composio.dev/toolkits/virustotal/framework/openclaw) - [Hermes](https://composio.dev/toolkits/virustotal/framework/hermes-agent) - [CLI](https://composio.dev/toolkits/virustotal/framework/cli) - [Google ADK](https://composio.dev/toolkits/virustotal/framework/google-adk) - [LangChain](https://composio.dev/toolkits/virustotal/framework/langchain) - [Vercel AI SDK](https://composio.dev/toolkits/virustotal/framework/ai-sdk) - [Mastra AI](https://composio.dev/toolkits/virustotal/framework/mastra-ai) - [LlamaIndex](https://composio.dev/toolkits/virustotal/framework/llama-index) - [CrewAI](https://composio.dev/toolkits/virustotal/framework/crew-ai) ## Related Toolkits - [Excel](https://composio.dev/toolkits/excel) - Microsoft Excel is a robust spreadsheet application for organizing, analyzing, and visualizing data. It's the go-to tool for calculations, reporting, and flexible data management. - [21risk](https://composio.dev/toolkits/_21risk) - 21RISK is a web app built for easy checklist, audit, and compliance management. It streamlines risk processes so teams can focus on what matters. - [Abstract](https://composio.dev/toolkits/abstract) - Abstract provides a suite of APIs for automating data validation and enrichment tasks. It helps developers streamline workflows and ensure data quality with minimal effort. - [Addressfinder](https://composio.dev/toolkits/addressfinder) - Addressfinder is a data quality platform for verifying addresses, emails, and phone numbers. It helps you ensure accurate customer and contact data every time. - [Agenty](https://composio.dev/toolkits/agenty) - Agenty is a web scraping and automation platform for extracting data and automating browser tasks—no coding needed. It streamlines data collection, monitoring, and repetitive online actions. - [Ambee](https://composio.dev/toolkits/ambee) - Ambee is an environmental data platform providing real-time, hyperlocal APIs for air quality, weather, and pollen. Get precise environmental insights to power smarter decisions in your apps and workflows. - [Ambient weather](https://composio.dev/toolkits/ambient_weather) - Ambient Weather is a platform for personal weather stations with a robust API for accessing local, real-time, and historical weather data. Get detailed environmental insights directly from your own sensors for smarter apps and automations. - [Anonyflow](https://composio.dev/toolkits/anonyflow) - Anonyflow is a service for encryption-based data anonymization and secure data sharing. It helps organizations meet GDPR, CCPA, and HIPAA data privacy compliance requirements. - [Api ninjas](https://composio.dev/toolkits/api_ninjas) - Api ninjas offers 120+ public APIs spanning categories like weather, finance, sports, and more. Developers use it to supercharge apps with real-time data and actionable endpoints. - [Api sports](https://composio.dev/toolkits/api_sports) - Api sports is a comprehensive sports data platform covering 2,000+ competitions with live scores and 15+ years of stats. Instantly access up-to-date sports information for analysis, apps, or chatbots. - [Apify](https://composio.dev/toolkits/apify) - Apify is a cloud platform for building, deploying, and managing web scraping and automation tools called Actors. It lets you automate data extraction and workflow tasks at scale—no infrastructure headaches. - [Autom](https://composio.dev/toolkits/autom) - Autom is a lightning-fast search engine results data platform for Google, Bing, and Brave. Developers use it to access fresh, low-latency SERP data on demand. - [Beaconchain](https://composio.dev/toolkits/beaconchain) - Beaconchain is a real-time analytics platform for Ethereum 2.0's Beacon Chain. It provides detailed insights into validators, blocks, and overall network performance. - [Big data cloud](https://composio.dev/toolkits/big_data_cloud) - BigDataCloud provides APIs for geolocation, reverse geocoding, and address validation. Instantly access reliable location intelligence to enhance your applications and workflows. - [Bigpicture io](https://composio.dev/toolkits/bigpicture_io) - BigPicture.io offers APIs for accessing detailed company and profile data. Instantly enrich your applications with up-to-date insights on 20M+ businesses. - [Bitquery](https://composio.dev/toolkits/bitquery) - Bitquery is a blockchain data platform offering indexed, real-time, and historical data from 40+ blockchains via GraphQL APIs. Get unified, reliable access to complex on-chain data for analytics, trading, and research. - [Brightdata](https://composio.dev/toolkits/brightdata) - Brightdata is a leading web data platform offering advanced scraping, SERP APIs, and anti-bot tools. It lets you collect public web data at scale, bypassing blocks and friction. - [Builtwith](https://composio.dev/toolkits/builtwith) - BuiltWith is a web technology profiler that uncovers the technologies powering any website. Gain actionable insights into analytics, hosting, and content management stacks for smarter research and lead generation. - [Byteforms](https://composio.dev/toolkits/byteforms) - Byteforms is an all-in-one platform for creating forms, managing submissions, and integrating data. It streamlines workflows by centralizing form data collection and automation. - [Cabinpanda](https://composio.dev/toolkits/cabinpanda) - Cabinpanda is a data collection platform for building and managing online forms. It helps streamline how you gather, organize, and analyze responses. ## Frequently Asked Questions ### What are the differences in Tool Router MCP and Virustotal MCP? With a standalone Virustotal MCP server, the agents and LLMs can only access a fixed set of Virustotal tools tied to that server. However, with the Composio Tool Router, agents can dynamically load tools from Virustotal and many other apps based on the task at hand, all through a single MCP endpoint. ### Can I use Tool Router MCP with Claude Agent SDK? Yes, you can. Claude Agent SDK fully supports MCP integration. You get structured tool calling, message history handling, and model orchestration while Tool Router takes care of discovering and serving the right Virustotal tools. ### Can I manage the permissions and scopes for Virustotal while using Tool Router? Yes, absolutely. You can configure which Virustotal scopes and actions are allowed when connecting your account to Composio. You can also bring your own OAuth credentials or API configuration so you keep full control over what the agent can do. ### How safe is my data with Composio Tool Router? All sensitive data such as tokens, keys, and configuration is fully encrypted at rest and in transit. Composio is SOC 2 Type 2 compliant and follows strict security practices so your Virustotal data and credentials are handled as safely as possible. --- [See all toolkits](https://composio.dev/toolkits) · [Composio docs](https://docs.composio.dev/llms.txt)