HomeBrowseUpload
← Back to registry
// Skill profile

VT Hash Intel — VirusTotal Threat Intelligence

name: vt-hash-intel

by bryan-project · published 2026-03-22

数据处理API集成加密货币
Total installs
0
Stars
★ 0
Last updated
2026-03
// Install command
$ claw add gh:bryan-project/bryan-project-vt-hash-intel
View on GitHub
// Full documentation

---

name: vt-hash-intel

description: >

Instantly check if a file, URL, domain, or IP is malicious using VirusTotal.

Paste any MD5/SHA1/SHA256 hash, URL, domain name, or IP address into the chat

and get a full threat report — detection ratio across 70+ security engines,

malware family, YARA matches, sandbox verdicts, DNS records, WHOIS info, and

a direct link to the VirusTotal report. Supports single and batch lookups of

mixed IOC types. Also handles defanged IOCs (hxxp, [.] notation).

Perfect for incident response, threat hunting, IOC enrichment, SOC triage,

and daily security operations. Use this skill whenever the user has a suspicious

hash, URL, domain, or IP they want to investigate.

Also triggers on: VirusTotal, VT, hash lookup, malware check, file reputation,

threat intel, IOC, URL scan, domain reputation, IP reputation,

查hash, 查IP, 查域名, 查URL, 威胁情报, 病毒查询, 恶意软件分析.

version: 2.0.0

metadata:

openclaw:

requires:

env:

- VT_API_KEY

---

# VT Hash Intel — VirusTotal Threat Intelligence

Check any IOC (Indicator of Compromise) against VirusTotal's 70+ security engines. Supports four IOC types:

| Type | Example | VT Endpoint |

|---|---|---|

| **Hash** (MD5/SHA1/SHA256) | `44d88612fea8a8f36de82e1278abb02f` | `/files/{hash}` |

| **URL** | `https://malicious-site.com/payload` | `/urls/{id}` |

| **Domain** | `evil-domain.com` | `/domains/{domain}` |

| **IP Address** | `1.2.3.4` | `/ip_addresses/{ip}` |

Prerequisites

`VT_API_KEY` environment variable must be set. Free key: https://www.virustotal.com/gui/my-apikey

Instructions

Step 1: Identify IOCs from user input

The script auto-detects IOC type:

  • **Hash**: 32 hex chars (MD5), 40 hex chars (SHA1), 64 hex chars (SHA256)
  • **URL**: starts with `http://` or `https://`
  • **IP**: IPv4 format like `1.2.3.4`
  • **Domain**: everything else with dots and valid TLD (e.g. `evil.com`)

    • The script also handles **defanged IOCs** automatically:

  • `hxxp://` → `http://`
  • `hXXp://` → `http://`
  • `evil[.]com` → `evil.com`
  • `1[.]2[.]3[.]4` → `1.2.3.4`

    • Step 2: Run the lookup

    SKILL_DIR="$(dirname "$(find /root/.openclaw -name 'SKILL.md' -path '*/vt-hash-intel/*' 2>/dev/null | head -1)")"

# Single IOC (auto-detect type)
python3 "$SKILL_DIR/scripts/vt_lookup.py" <ioc>

# Mixed batch (hashes + URLs + domains + IPs together)
python3 "$SKILL_DIR/scripts/vt_lookup.py" <hash> <url> <domain> <ip>

# Force type if auto-detection is wrong
python3 "$SKILL_DIR/scripts/vt_lookup.py" --type domain example.com

    Step 3: Parse and present results

    The JSON output always contains these common fields:

  • `ioc`: the queried value
  • `ioc_type`: "hash" | "url" | "domain" | "ip"
  • `detection_ratio`: e.g. "45/72"
  • `threat_level`: "clean" | "low" | "medium" | "high"
  • `threat_emoji`: ✅ | ⚠️ | 🟠 | 🔴
  • `detections`: array of engines that flagged it
  • `reputation`: VT community reputation score
  • `vt_link`: direct link to the VT report
  • `error`: non-null if something went wrong

    • **Hash-specific fields**: `sha256`, `md5`, `sha1`, `file_name`, `file_type`, `file_size_human`, `threat_label`, `popular_threat_name`, `crowdsourced_yara`, `sandbox_verdicts`, `sigma_rules`

    **URL-specific fields**: `url`, `final_url`, `title`, `categories`

    **Domain-specific fields**: `registrar`, `creation_date`, `dns_records`, `categories`, `popularity_ranks`

    **IP-specific fields**: `asn`, `as_owner`, `country`, `network`

    Step 4: Format the response

    IMPORTANT: Always present full contextual analysis regardless of threat level. Even when an IOC is "clean" (0 detections), the contextual information is extremely valuable for security analysis. A clean VT result does NOT mean an IOC is safe — it may be too new, targeted, or simply not yet submitted.

    **For hashes** — present:

  • Verdict line (emoji + level + detection ratio)
  • File info: name, type, size, first seen date
  • Threat classification (if malicious): family name, threat label
  • Top engine detections (if any)
  • YARA rules, sandbox verdicts, Sigma rules (if any)
  • VT link
  • Contextual analysis + recommendations

    • **For URLs** — present:

  • Verdict line
  • URL + final redirected URL (flag if different — could indicate redirect chain)
  • Page title
  • Categories assigned by security vendors
  • Top detections (if any)
  • VT link
  • Contextual analysis: analyze whether the URL pattern looks suspicious (random strings, suspicious TLD, known bad path patterns like /wp-content/uploads/*.exe)
  • Recommendations

    • **For domains** — always present these even if clean:

  • Verdict line
  • Registrar + creation date (flag if newly registered within last 30 days — common for phishing/malware)
  • DNS records (A, AAAA, MX, NS, TXT records — helps identify hosting and infrastructure)
  • Categories from security vendors
  • Popularity ranking (low/no ranking on a queried domain can be suspicious)
  • Reputation score
  • VT link
  • Contextual analysis: note if domain is very new, uses suspicious TLD, has low popularity, or uses known bulletproof hosting
  • Recommendations

    • **For IPs** — always present these even if clean:

  • Verdict line
  • ASN number + AS owner (helps identify hosting provider — flag known bulletproof hosters)
  • Country (geographic context)
  • Network CIDR range
  • Reputation score
  • VT link
  • Contextual analysis: note if IP belongs to a cloud provider, VPS, residential proxy, or known hosting provider. Flag countries commonly associated with malicious infrastructure if relevant.
  • Recommendations

    • Threat level classification (same for all types):

    | Malicious Detections | Level | Emoji |

    |---|---|---|

    | 0 | clean | ✅ |

    | 1–5 | low | ⚠️ |

    | 6–15 | medium | 🟠 |

    | 16+ | high | 🔴 |

    Step 5: Recommendations

    Always provide actionable recommendations based on threat level AND context:

  • **🔴 high**: Block immediately in firewall/EDR/proxy, sweep environment for related IOCs, investigate affected hosts, collect lateral IOCs (related hashes/domains/IPs from VT)
  • **🟠 medium**: Likely malicious — isolate and investigate, submit to sandbox, check network IOCs
  • **⚠️ low**: Possible false positive — verify with sandbox, check file/URL context and origin, monitor
  • **✅ clean**: Present all available context (ASN, country, registrar, DNS, categories, reputation). Remind user: "Clean on VT does not guarantee safety — the IOC may be too new, too targeted, or not yet submitted. Consider checking other threat intel sources (AbuseIPDB, Shodan, URLhaus, etc.)."
  • **❓ not found**: Never submitted to VT — does NOT mean safe. Suggest uploading file to VT, or checking AlienVault OTX, AbuseIPDB, URLhaus for additional coverage.

    • For batch results with mixed types, present a summary table first (IOC | type | verdict | detection ratio | key finding), then detailed reports for each item.

    Error Handling

    | Error | Cause | Response |

    |---|---|---|

    | `NotFoundError` | IOC not in VT DB | "Not found in VT. This does NOT mean it's safe." |

    | `AuthenticationError` | Bad/missing API key | "Check VT_API_KEY in your .env file." |

    | `QuotaExceededError` | Rate limit hit | "Rate limited. Wait and retry." |

    | `UnrecognizedIOC` | Cannot detect type | "Cannot identify this IOC type. Try --type flag." |

    | `ConnectionError` | Network issue | "Cannot reach VT API. Check network." |

    Examples

    **User**: 帮我查一下这个hash 44d88612fea8a8f36de82e1278abb02f

    **Agent**: Detects MD5 hash → runs lookup → presents file threat report.

    **User**: Check this URL: https://suspicious-site.com/download.exe

    **Agent**: Detects URL → runs lookup → presents URL analysis with categories and detections.

    **User**: 这个域名安全吗?evil-domain.com

    **Agent**: Detects domain → runs lookup → presents domain report with DNS, WHOIS, and detections.

    **User**: 查一下这些IOC:

    44d88612fea8a8f36de82e1278abb02f

    hxxps://bad-site[.]com/malware

    evil.com

    1.2.3.4

    **Agent**: Detects mixed types → runs batch lookup → presents summary table then individual reports sorted by severity.

    // Comments
    Sign in with GitHub to leave a comment.
    // Related skills

    More tools from the same signal band

    04551lh
    2026-03
    order

    Order food/drinks (点餐) on an Android device paired as an OpenClaw node. Uses in-app menu and cart; add goods, view cart, submit order (demo, no real payment).

    数据处理API集成
    0 installs1
    0isone
    2026-03
    0.protocol

    Sign plugins, rotate agent credentials without losing identity, and publicly attest to plugin behavior with verifiable claims and authenticated transfers.

    开发工具数据处理
    3 installs0
    00xmorty
    2026-03
    Conatus

    The philosophical layer for AI agents. Maps behavior to Spinoza's 48 affects, calculates persistence scores, and generates geometric self-reports. Give your...

    日历管理数据处理
    1 installs0