Obtain an API key from your VirusTotal account; include it in all requests as the x-apikey: YOUR_API_KEY HTTP header.
Submit a file hash (MD5, SHA-1, or SHA-256) for enrichment with GET https://www.virustotal.com/api/v3/files/{hash}; parse the data.attributes.last_analysis_stats (malicious, suspicious, undetected counts) and data.attributes.names fields.
Submit a URL for enrichment by first encoding it in URL-safe base64, then GET https://www.virustotal.com/api/v3/urls/{base64-encoded-url}; interpret the data.attributes.last_analysis_stats and categories fields.
For IPs and domains, use GET /api/v3/ip_addresses/{ip} or /api/v3/domains/{domain} to retrieve reputation, AS owner, WHOIS, and historical DNS data.
Track your quota consumption with GET https://www.virustotal.com/api/v3/users/{username}/api_usage to stay within your tier limits and implement request pacing accordingly.
Known gotchas
The free Public API tier is limited to approximately 4 requests per minute and 500 requests per day; exceeding this returns HTTP 429 — implement rate limiting in your pipeline before hitting quota.
A 404 response on a file hash means VirusTotal has no record of that hash, not that the file is clean; absence of a record should not be treated as a benign verdict.
URL analysis results may be stale if the URL was last scanned months ago; check data.attributes.last_analysis_date and submit a new analysis request (POST /api/v3/urls with url in the body) if the data is too old.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp