lookup_file
Pack: virustotal · Endpoint: https://gateway.pipeworx.io/virustotal/mcp
Look up a file by hash (sha256, sha1, or md5). Returns last-analysis stats (malicious / suspicious / harmless / undetected detector counts), type description, size, names seen, and tags. Useful for triaging hashes seen in alerts or logs.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
hash | string | yes | SHA-256 / SHA-1 / MD5 of the file |
Example call
Arguments
{
"hash": "44d88612fea8a8f36de82e1278abb02f"
}curl
curl -X POST https://gateway.pipeworx.io/virustotal/mcp \
-H 'Content-Type: application/json' \
-d '{"jsonrpc":"2.0","id":1,"method":"tools/call","params":{"name":"lookup_file","arguments":{"hash":"44d88612fea8a8f36de82e1278abb02f"}}}'TypeScript (@pipeworx/sdk)
import { Pipeworx } from '@pipeworx/sdk';
const pipeworx = new Pipeworx();
const result = await pipeworx.call('lookup_file', {
"hash": "44d88612fea8a8f36de82e1278abb02f"
});More examples
{
"hash": "9e107d9d372bb6826bd81d3542a419d6043e3a7cbeda4531da5f2d99712df4b9"
}Response shape
Always returns: type, id, stats, reputation, community_votes, tags, last_analyzed_at, raw_attributes, vt_url
| Field | Type | Description |
|---|---|---|
type | string | Resource type (e.g., ‘files’) |
id | string | null | VirusTotal file identifier |
stats | object | |
reputation | number | null | Reputation score from community |
community_votes | object | null | |
tags | array | Tags assigned to the file |
last_analyzed_at | string | null | ISO 8601 timestamp of last analysis |
raw_attributes | object | Full attributes object from VirusTotal API |
vt_url | string | null | Direct link to VirusTotal file report |
Full JSON Schema
{
"type": "object",
"properties": {
"type": {
"type": "string",
"description": "Resource type (e.g., 'files')"
},
"id": {
"type": [
"string",
"null"
],
"description": "VirusTotal file identifier"
},
"stats": {
"type": "object",
"properties": {
"malicious": {
"type": "integer",
"description": "Number of engines detecting as malicious"
},
"suspicious": {
"type": "integer",
"description": "Number of engines detecting as suspicious"
},
"harmless": {
"type": "integer",
"description": "Number of engines detecting as harmless"
},
"undetected": {
"type": "integer",
"description": "Number of engines with no detection"
},
"total_engines": {
"type": "integer",
"description": "Total engines that analyzed the file"
},
"malicious_pct": {
"type": "number",
"description": "Percentage of engines detecting as malicious"
}
},
"required": [
"malicious",
"suspicious",
"harmless",
"undetected",
"total_engines",
"malicious_pct"
]
},
"reputation": {
"type": [
"number",
"null"
],
"description": "Reputation score from community"
},
"community_votes": {
"type": [
"object",
"null"
],
"properties": {
"harmless": {
"type": "integer",
"description": "Community votes for harmless"
},
"malicious": {
"type": "integer",
"description": "Community votes for malicious"
}
}
},
"tags": {
"type": "array",
"items": {
"type": "string"
},
"description": "Tags assigned to the file"
},
"last_analyzed_at": {
"type": [
"string",
"null"
],
"description": "ISO 8601 timestamp of last analysis"
},
"raw_attributes": {
"type": "object",
"description": "Full attributes object from VirusTotal API"
},
"vt_url": {
"type": [
"string",
"null"
],
"description": "Direct link to VirusTotal file report"
}
},
"required": [
"type",
"id",
"stats",
"reputation",
"community_votes",
"tags",
"last_analyzed_at",
"raw_attributes",
"vt_url"
]
}Connect
Add this to your MCP client config, or use one-click install buttons:
{
"mcpServers": {
"virustotal": {
"url": "https://gateway.pipeworx.io/virustotal/mcp"
}
}
}See Getting Started for client-specific install steps.