How to integrate Virustotal MCP with LangChain

BOOK A CALLGET STARTED FOR FREE
Framework Integration Gradient
Virustotal Logo
LangChain Logo
divider

Introduction

This guide walks you through connecting Virustotal to LangChain using the Composio tool router. By the end, you'll have a working Virustotal agent that can scan this file hash for malware, get analysis report for suspicious url, retrieve domain reputation details, check comments on this ip address through natural language commands.

This guide will help you understand how to give your LangChain agent real control over a Virustotal account through Composio's Virustotal MCP server.

Before we dive in, let's take a quick look at the key ideas and tools involved.

TL;DR

Here's what you'll learn:
  • Get and set up your OpenAI and Composio API keys
  • Connect your Virustotal project to Composio
  • Create a Tool Router MCP session for Virustotal
  • Initialize an MCP client and retrieve Virustotal tools
  • Build a LangChain agent that can interact with Virustotal
  • Set up an interactive chat interface for testing

What is LangChain?

LangChain is a framework for developing applications powered by language models. It provides tools and abstractions for building agents that can reason, use tools, and maintain conversation context.

Key features include:

  • Agent Framework: Build agents that can use tools and make decisions
  • MCP Integration: Connect to external services through Model Context Protocol adapters
  • Memory Management: Maintain conversation history across interactions
  • Multi-Provider Support: Works with OpenAI, Anthropic, and other LLM providers

What is the Virustotal MCP server, and what's possible with it?

The Virustotal MCP server is an implementation of the Model Context Protocol that connects your AI agent and assistants like Claude, Cursor, etc directly to your Virustotal account. It provides structured and secure access to malicious file, URL, domain, and IP analysis, so your agent can perform actions like scanning files, retrieving threat reports, investigating domains, and posting comments or verdicts on your behalf.

  • Comprehensive threat analysis retrieval: Instantly fetch detailed reports on files, URLs, domains, or IP addresses to understand their security reputation and scan results from dozens of antivirus engines.
  • Relationship and metadata insights: Have your agent explore related entities—such as domains linked to a file, or files associated with an IP address—along with receiving broad metadata about available VirusTotal operations.
  • Automated commenting and feedback: Use your agent to post contextual comments on any analyzed resource, making collaboration and documentation of findings much easier.
  • Community-driven voting: Submit harmless or malicious verdicts on files and URLs after reviewing analysis, helping to crowdsource threat intelligence and improve detection accuracy.
  • Latest user comment retrieval: Let your agent pull up the most recent comments on a file, URL, domain, or IP address to quickly access community feedback and insights.

Supported Tools & Triggers

Tools
Add VirusTotal CommentTool to add a comment to a virustotal resource (file, url, domain, or ip address).
Add VoteTool to add a vote (harmless/malicious) to a virustotal resource.
Get Analysis ReportTool to retrieve the analysis report of a file or url submission.
Get commentsTool to retrieve the latest comments on a virustotal resource.
Get Domain RelationshipsTool to retrieve relationship objects for a given domain.
Get Domain ReportTool to retrieve the analysis report of a domain.
Get File ReportTool to retrieve the analysis report of a file.
Get IP Address RelationshipsTool to retrieve objects related to a specific ip address by relationship type.
Get IP Address ReportTool to retrieve the analysis report of an ip address.
Get VirusTotal MetadataTool to retrieve virustotal metadata.
Get URL ReportTool to retrieve the analysis report of a url.
Get VotesTool to retrieve votes on files, urls, domains, or ip addresses.
Rescan FileTool to re-analyze a previously submitted file.
Scan URLTool to submit a url for scanning.
Search VirusTotalTool to search for objects in the virustotal database.
Upload FileTool to upload a file for scanning.

What is the Composio tool router, and how does it fit here?

What is Tool Router?

Composio's Tool Router helps agents find the right tools for a task at runtime. You can plug in multiple toolkits (like Gmail, HubSpot, and GitHub), and the agent will identify the relevant app and action to complete multi-step workflows. This can reduce token usage and improve the reliability of tool calls. Read more here: Getting started with Tool Router

The tool router generates a secure MCP URL that your agents can access to perform actions.

How the Tool Router works

The Tool Router follows a three-phase workflow:

  1. Discovery: Searches for tools matching your task and returns relevant toolkits with their details.
  2. Authentication: Checks for active connections. If missing, creates an auth config and returns a connection URL via Auth Link.
  3. Execution: Executes the action using the authenticated connection.

Step-by-step Guide

Prerequisites

Before starting this tutorial, make sure you have:
  • Python 3.10 or higher installed on your system
  • A Composio account with an API key
  • An OpenAI API key
  • Basic familiarity with Python and async programming

Getting API Keys for OpenAI and Composio

OpenAI API Key
  • Go to the OpenAI dashboard and create an API key. You'll need credits to use the models, or you can connect to another model provider.
  • Keep the API key safe.
Composio API Key
  • Log in to the Composio dashboard.
  • Navigate to your API settings and generate a new API key.
  • Store this key securely as you'll need it for authentication.

Install dependencies

pip install composio-langchain langchain-mcp-adapters langchain python-dotenv

Install the required packages for LangChain with MCP support.

What's happening:

  • composio-langchain provides Composio integration for LangChain
  • langchain-mcp-adapters enables MCP client connections
  • langchain is the core agent framework
  • python-dotenv loads environment variables

Set up environment variables

bash
COMPOSIO_API_KEY=your_composio_api_key_here
COMPOSIO_USER_ID=your_composio_user_id_here
OPENAI_API_KEY=your_openai_api_key_here

Create a .env file in your project root.

What's happening:

  • COMPOSIO_API_KEY authenticates your requests to Composio's API
  • COMPOSIO_USER_ID identifies the user for session management
  • OPENAI_API_KEY enables access to OpenAI's language models

Import dependencies

from langchain_mcp_adapters.client import MultiServerMCPClient
from langchain.agents import create_agent
from dotenv import load_dotenv
from composio import Composio
import asyncio
import os

load_dotenv()
What's happening:
  • We're importing LangChain's MCP adapter and Composio SDK
  • The dotenv import loads environment variables from your .env file
  • This setup prepares the foundation for connecting LangChain with Virustotal functionality through MCP

Initialize Composio client

async def main():
    composio = Composio(api_key=os.getenv("COMPOSIO_API_KEY"))

    if not os.getenv("COMPOSIO_API_KEY"):
        raise ValueError("COMPOSIO_API_KEY is not set")
    if not os.getenv("COMPOSIO_USER_ID"):
        raise ValueError("COMPOSIO_USER_ID is not set")
What's happening:
  • We're loading the COMPOSIO_API_KEY from environment variables and validating it exists
  • Creating a Composio instance that will manage our connection to Virustotal tools
  • Validating that COMPOSIO_USER_ID is also set before proceeding

Create a Tool Router session

# Create Tool Router session for Virustotal
session = composio.create(
    user_id=os.getenv("COMPOSIO_USER_ID"),
    toolkits=['virustotal']
)

url = session.mcp.url
What's happening:
  • We're creating a Tool Router session that gives your agent access to Virustotal tools
  • The create method takes the user ID and specifies which toolkits should be available
  • The returned session.mcp.url is the MCP server URL that your agent will use
  • This approach allows the agent to dynamically load and use Virustotal tools as needed

Configure the agent with the MCP URL

client = MultiServerMCPClient({
    "virustotal-agent": {
        "transport": "streamable_http",
        "url": session.mcp.url,
        "headers": {
            "x-api-key": os.getenv("COMPOSIO_API_KEY")
        }
    }
})

tools = await client.get_tools()

agent = create_agent("gpt-5", tools)
What's happening:
  • We're creating a MultiServerMCPClient that connects to our Virustotal MCP server via HTTP
  • The client is configured with a name and the URL from our Tool Router session
  • get_tools() retrieves all available Virustotal tools that the agent can use
  • We're creating a LangChain agent using the GPT-5 model

Set up interactive chat interface

conversation_history = []

print("Chat started! Type 'exit' or 'quit' to end the conversation.\n")
print("Ask any Virustotal related question or task to the agent.\n")

while True:
    user_input = input("You: ").strip()

    if user_input.lower() in ['exit', 'quit', 'bye']:
        print("\nGoodbye!")
        break

    if not user_input:
        continue

    conversation_history.append({"role": "user", "content": user_input})
    print("\nAgent is thinking...\n")

    response = await agent.ainvoke({"messages": conversation_history})
    conversation_history = response['messages']
    final_response = response['messages'][-1].content
    print(f"Agent: {final_response}\n")
What's happening:
  • We initialize an empty conversation_history list to maintain context across interactions
  • A while loop continuously accepts user input from the command line
  • When a user types a message, it's added to the conversation history and sent to the agent
  • The agent processes the request using the ainvoke() method with the full conversation history
  • Users can type 'exit', 'quit', or 'bye' to end the chat session gracefully

Run the application

if __name__ == "__main__":
    asyncio.run(main())
What's happening:
  • We call the main() function using asyncio.run() to start the application

Complete Code

Here's the complete code to get you started with Virustotal and LangChain:

from langchain_mcp_adapters.client import MultiServerMCPClient
from langchain.agents import create_agent
from dotenv import load_dotenv
from composio import Composio
import asyncio
import os

load_dotenv()

async def main():
    composio = Composio(api_key=os.getenv("COMPOSIO_API_KEY"))
    
    if not os.getenv("COMPOSIO_API_KEY"):
        raise ValueError("COMPOSIO_API_KEY is not set")
    if not os.getenv("COMPOSIO_USER_ID"):
        raise ValueError("COMPOSIO_USER_ID is not set")
    
    session = composio.create(
        user_id=os.getenv("COMPOSIO_USER_ID"),
        toolkits=['virustotal']
    )

    url = session.mcp.url
    
    client = MultiServerMCPClient({
        "virustotal-agent": {
            "transport": "streamable_http",
            "url": url,
            "headers": {
                "x-api-key": os.getenv("COMPOSIO_API_KEY")
            }
        }
    })
    
    tools = await client.get_tools()
  
    agent = create_agent("gpt-5", tools)
    
    conversation_history = []
    
    print("Chat started! Type 'exit' or 'quit' to end the conversation.\n")
    print("Ask any Virustotal related question or task to the agent.\n")
    
    while True:
        user_input = input("You: ").strip()
        
        if user_input.lower() in ['exit', 'quit', 'bye']:
            print("\nGoodbye!")
            break
        
        if not user_input:
            continue
        
        conversation_history.append({"role": "user", "content": user_input})
        print("\nAgent is thinking...\n")
        
        response = await agent.ainvoke({"messages": conversation_history})
        conversation_history = response['messages']
        final_response = response['messages'][-1].content
        print(f"Agent: {final_response}\n")

if __name__ == "__main__":
    asyncio.run(main())

Conclusion

You've successfully built a LangChain agent that can interact with Virustotal through Composio's Tool Router.

Key features of this implementation:

  • Dynamic tool loading through Composio's Tool Router
  • Conversation history maintenance for context-aware responses
  • Async Python provides clean, efficient execution of agent workflows
You can extend this further by adding error handling, implementing specific business logic, or integrating additional Composio toolkits to create multi-app workflows.

How to build Virustotal MCP Agent with another framework

OpenAI Agents SDK

OpenAI Agents SDK

Use Virustotal MCP with OpenAI Agents SDK

Claude Agent SDK

Claude Agent SDK

Use Virustotal MCP with Claude Agent SDK

Google ADK

Google ADK

Use Virustotal MCP with Google ADK

Vercel AI SDK

Vercel AI SDK

Use Virustotal MCP with Vercel AI SDK

Mastra AI

Mastra AI

Use Virustotal MCP with Mastra AI

LlamaIndex

LlamaIndex

Use Virustotal MCP with LlamaIndex

CrewAI

CrewAI

Use Virustotal MCP with CrewAI

FAQ

What are the differences in Tool Router MCP and Virustotal MCP?

With a standalone Virustotal MCP server, the agents and LLMs can only access a fixed set of Virustotal tools tied to that server. However, with the Composio Tool Router, agents can dynamically load tools from Virustotal and many other apps based on the task at hand, all through a single MCP endpoint.

Can I use Tool Router MCP with LangChain?

Yes, you can. LangChain fully supports MCP integration. You get structured tool calling, message history handling, and model orchestration while Tool Router takes care of discovering and serving the right Virustotal tools.

Can I manage the permissions and scopes for Virustotal while using Tool Router?

Yes, absolutely. You can configure which Virustotal scopes and actions are allowed when connecting your account to Composio. You can also bring your own OAuth credentials or API configuration so you keep full control over what the agent can do.

How safe is my data with Composio Tool Router?

All sensitive data such as tokens, keys, and configuration is fully encrypted at rest and in transit. Composio is SOC 2 Type 2 compliant and follows strict security practices so your Virustotal data and credentials are handled as safely as possible.

Used by agents from

Context
ASU
Letta
glean
HubSpot
Agent.ai
Altera
DataStax
Entelligence
Rolai
Context
ASU
Letta
glean
HubSpot
Agent.ai
Altera
DataStax
Entelligence
Rolai
Context
ASU
Letta
glean
HubSpot
Agent.ai
Altera
DataStax
Entelligence
Rolai

Never worry about agent reliability

We handle tool reliability, observability, and security so you never have to second-guess an agent action.

Book a callGet started for free