How to integrate Virustotal MCP with Codex

GET STARTED FOR FREE
Virustotal logo
Codex logo
divider

Introduction

Codex is one of the most popular coding harnesses out there. And MCP makes the experience even better. With Virustotal MCP integration, you can draft, triage, summarise emails, and much more, all without leaving the terminal or the app, whichever you prefer.

Also integrate Virustotal with

Why use Composio?

Apart from a managed and hosted MCP server, you will get:

  • CodeAct: A dedicated workbench that allows GPT to write its code to handle complex tool chaining. Reduces to-and-fro with LLMs for frequent tool calling.
  • Large tool responses: Handle them to minimise context rot.
  • Dynamic just-in-time access to 20,000 tools across 870+ other Apps for cross-app workflows. It loads the tools you need, so GPTs aren't overwhelmed by tools you don't need.

How to install Virustotal MCP in Codex

Run the setup command

Run this command in your terminal to add the Composio MCP server to Codex.

Terminal

It will initiate the authentication in a browser window, authorize Codex to access your Composio account.

Composio authentication page

(Optional) Authenticate with OAuth

To authenticate manually, run the login command to open a browser window and authorize Codex to access your Composio account.

bash
codex mcp login composio

Verify the connection

Run codex mcp list to confirm Composio appears as a registered MCP server.

bash
codex mcp list

Codex App

Codex App follows the same approach as VS Code.

  1. Click ⚙️ on the bottom left → MCP Servers → + Add servers → Streamable HTTP:
  2. Fill the header and Key fields with { "x-consumer-api-key" = "ck_*******" }.
  3. The Key is the Composio API key, that you can find on connect.composio.dev
  4. Click on Authenticate and authorize Codex to your Composio account and you're all set.
Codex App MCP setup
  1. Restart and verify if it's there in .codex/config.toml
bash
[mcp_servers.composio]
url = "https://connect.composio.dev/mcp"
http_headers = { "x-consumer-api-key" = "ck_*******" }

What is the Virustotal MCP server, and what's possible with it?

The Virustotal MCP server is an implementation of the Model Context Protocol that connects your AI agent and assistants like Claude, Cursor, etc directly to your Virustotal account. It provides structured and secure access to malicious file, URL, domain, and IP analysis, so your agent can perform actions like scanning files, retrieving threat reports, investigating domains, and posting comments or verdicts on your behalf.

  • Comprehensive threat analysis retrieval: Instantly fetch detailed reports on files, URLs, domains, or IP addresses to understand their security reputation and scan results from dozens of antivirus engines.
  • Relationship and metadata insights: Have your agent explore related entities—such as domains linked to a file, or files associated with an IP address—along with receiving broad metadata about available VirusTotal operations.
  • Automated commenting and feedback: Use your agent to post contextual comments on any analyzed resource, making collaboration and documentation of findings much easier.
  • Community-driven voting: Submit harmless or malicious verdicts on files and URLs after reviewing analysis, helping to crowdsource threat intelligence and improve detection accuracy.
  • Latest user comment retrieval: Let your agent pull up the most recent comments on a file, URL, domain, or IP address to quickly access community feedback and insights.

Supported Tools & Triggers

Tools
Add VirusTotal CommentTool to add a comment to a virustotal resource (file, url, domain, or ip address).
Add VoteTool to add a vote (harmless/malicious) to a virustotal resource.
Get Analysis ReportTool to retrieve the analysis report of a file or url submission.
Get commentsTool to retrieve the latest comments on a virustotal resource.
Get Domain RelationshipsTool to retrieve relationship objects for a given domain.
Get Domain ReportTool to retrieve the analysis report of a domain.
Get File ReportTool to retrieve the analysis report of a file.
Get IP Address RelationshipsTool to retrieve objects related to a specific ip address by relationship type.
Get IP Address ReportTool to retrieve the analysis report of an ip address.
Get VirusTotal MetadataTool to retrieve virustotal metadata.
Get URL ReportTool to retrieve the analysis report of a url.
Get VotesTool to retrieve votes on files, urls, domains, or ip addresses.
Rescan FileTool to re-analyze a previously submitted file.
Scan URLTool to submit a url for scanning.
Search VirusTotalTool to search for objects in the virustotal database.
Upload FileTool to upload a file for scanning.

Conclusion

You've successfully integrated Virustotal with Codex using Composio's MCP server. Now you can interact with Virustotal directly from your terminal, VS Code, or the Codex App using natural language commands.

Key benefits of this setup:

  • Seamless integration across CLI, VS Code, and standalone app
  • Natural language commands for Virustotal operations
  • Managed authentication through Composio
  • Access to 20,000+ tools across 870+ apps for cross-app workflows
  • CodeAct workbench for complex tool chaining

Next steps:

  • Try asking Codex to perform various Virustotal operations
  • Explore cross-app workflows by connecting more toolkits
  • Build automation scripts that leverage Codex's AI capabilities

How to build Virustotal MCP Agent with another framework

OpenAI Agents SDK logo

OpenAI Agents SDK

Use Virustotal MCP with OpenAI Agents SDK

Claude Agent SDK logo

Claude Agent SDK

Use Virustotal MCP with Claude Agent SDK

Claude Code logo

Claude Code

Use Virustotal MCP with Claude Code

OpenClaw logo

OpenClaw

Use Virustotal MCP with OpenClaw

CLI logo

CLI

Use Virustotal MCP with CLI

Google ADK logo

Google ADK

Use Virustotal MCP with Google ADK

LangChain logo

LangChain

Use Virustotal MCP with LangChain

Vercel AI SDK logo

Vercel AI SDK

Use Virustotal MCP with Vercel AI SDK

Mastra AI logo

Mastra AI

Use Virustotal MCP with Mastra AI

LlamaIndex logo

LlamaIndex

Use Virustotal MCP with LlamaIndex

CrewAI logo

CrewAI

Use Virustotal MCP with CrewAI

FAQ

What are the differences in Tool Router MCP and Virustotal MCP?

With a standalone Virustotal MCP server, the agents and LLMs can only access a fixed set of Virustotal tools tied to that server. However, with the Composio Tool Router, agents can dynamically load tools from Virustotal and many other apps based on the task at hand, all through a single MCP endpoint.

Can I use Tool Router MCP with Codex?

Yes, you can. Codex fully supports MCP integration. You get structured tool calling, message history handling, and model orchestration while Tool Router takes care of discovering and serving the right Virustotal tools.

Can I manage the permissions and scopes for Virustotal while using Tool Router?

Yes, absolutely. You can configure which Virustotal scopes and actions are allowed when connecting your account to Composio. You can also bring your own OAuth credentials or API configuration so you keep full control over what the agent can do.

How safe is my data with Composio Tool Router?

All sensitive data such as tokens, keys, and configuration is fully encrypted at rest and in transit. Composio is SOC 2 Type 2 compliant and follows strict security practices so your Virustotal data and credentials are handled as safely as possible.

Used by agents from

Context
Letta
glean
HubSpot
Agent.ai
Altera
DataStax
Entelligence
Rolai
Context
Letta
glean
HubSpot
Agent.ai
Altera
DataStax
Entelligence
Rolai
Context
Letta
glean
HubSpot
Agent.ai
Altera
DataStax
Entelligence
Rolai

Never worry about agent reliability

We handle tool reliability, observability, and security so you never have to second-guess an agent action.

Book a callGet started for free