Official Verified developer tools Safety 4/5

vt-hash-intel

Instantly check if a file, URL, domain, or IP is malicious using VirusTotal. Paste any MD5/SHA1/SHA256 hash, URL, domain name, or IP address into the chat and get a full threat report — detection ratio across 70+ security engines, malware family, YARA matches, sandbox verdicts, DNS records, WHOIS info, and a direct link to the VirusTotal report. Supports single and batch lookups of mixed IOC types. Also handles defanged IOCs (hxxp, [.] notation). Perfect for incident response, threat hunting, IOC enrichment, SOC triage, and daily security operations. Use this skill whenever the user has a suspicious hash, URL, domain, or IP they want to investigate. Also triggers on: VirusTotal, VT, hash lookup, malware check, file reputation, threat intel, IOC, URL scan, domain reputation, IP reputation, 查hash, 查IP, 查域名, 查URL, 威胁情报, 病毒查询, 恶意软件分析.

skill-install — Terminal

Install via CLI (Recommended)

clawhub install openclaw/skills/skills/bryan-project/vt-hash-intel

Download Source Code (.zip)

What This Skill Does

The vt-hash-intel skill provides an advanced interface for VirusTotal integration within the OpenClaw environment. It allows users to query hashes, URLs, domains, and IP addresses against over 70 global security engines. Beyond simple reputation scores, the skill returns deep contextual intelligence including YARA matches, sandbox behavioral reports, WHOIS records, DNS information, and malware family identification. It handles both standard and defanged IOC (Indicator of Compromise) formats, making it an essential tool for SOC analysts and incident responders.

Installation

To install the skill, execute the following command in your terminal: clawhub install openclaw/skills/skills/bryan-project/vt-hash-intel

Ensure your VT_API_KEY is configured as an environment variable, which can be obtained via the VirusTotal website. The script is designed to run automatically once invoked and will parse the output into a structured format for immediate analysis.

Use Cases

Incident Response: Quickly validate if a suspicious file attachment or network connection aligns with known malicious activity.
Threat Hunting: Analyze bulk lists of IOCs extracted from logs to identify potential infrastructure belonging to an adversary.
Security Operations Center (SOC) Triage: Automate the repetitive lookup process for alerts that require initial vetting.
Endpoint Security Validation: Use hash lookups to verify if a local binary matches signatures known to security researchers.

Example Prompts

"Check the reputation of the IP 185.196.8.34 and tell me if it's involved in any botnet activity."
"Analyze this file hash: 44d88612fea8a8f36de82e1278abb02f and provide the YARA results."
"Is hxxp://malicious-site[.]com considered dangerous? Please provide the full VirusTotal report."

Tips & Limitations

Contextual Awareness: A clean result (0/72 detections) is not a guarantee of safety. Always consider the file age and prevalence provided in the metadata.
Defanging: Use this tool to safely paste defanged IOCs from email headers or chat logs without manually re-sanitizing them.
API Limits: Be mindful of the VirusTotal API tier you are using, as frequent automated batch lookups may trigger rate limits.
Formatting: If the auto-detector misidentifies an IOC, use the --type flag to force a specific lookup method.

Read Full Documentation on GitHub

Metadata

Author@bryan-project

Stars4190

Updated2026-04-18

View Author Profile

AI Skill Finder

Not sure this is the right skill?

Describe what you want to build — we'll match you to the best skill from 16,000+ options.

Find the right skill

Add to Configuration

Paste this into your clawhub.json to enable this plugin.

{
  "plugins": {
    "official-bryan-project-vt-hash-intel": {
      "enabled": true,
      "auto_update": true
    }
  }
}

Tags(AI)

#threat-intel#cybersecurity#incident-response#malware-analysis#virustotal

Safety Score: 4/5

Flags: network-access, external-api