{ "schemaVersion": "1.0", "item": { "slug": "vt-hash-intel", "name": "VirusTotal Hash Analyzer", "source": "tencent", "type": "skill", "category": "通讯协作", "sourceUrl": "https://clawhub.ai/Bryan-Project/vt-hash-intel", "canonicalUrl": "https://clawhub.ai/Bryan-Project/vt-hash-intel", "targetPlatform": "OpenClaw" }, "install": { "downloadMode": "redirect", "downloadUrl": "/downloads/vt-hash-intel", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=vt-hash-intel", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "installMethod": "Manual import", "extraction": "Extract archive", "prerequisites": [ "OpenClaw" ], "packageFormat": "ZIP package", "includedAssets": [ "SKILL.md", "_meta.json", "scripts/vt_lookup.py" ], "primaryDoc": "SKILL.md", "quickSetup": [ "Download the package from Yavira.", "Extract the archive and review SKILL.md first.", "Import or place the package into your OpenClaw setup." ], "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "sourceHealth": { "source": "tencent", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-04-30T16:55:25.780Z", "expiresAt": "2026-05-07T16:55:25.780Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=network", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=network", "contentDisposition": "attachment; filename=\"network-1.0.0.zip\"", "redirectLocation": null, "bodySnippet": null }, "scope": "source", "summary": "Source download looks usable.", "detail": "Yavira can redirect you to the upstream package for this source.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/vt-hash-intel" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] }, "downloadPageUrl": "https://openagent3.xyz/downloads/vt-hash-intel", "agentPageUrl": "https://openagent3.xyz/skills/vt-hash-intel/agent", "manifestUrl": "https://openagent3.xyz/skills/vt-hash-intel/agent.json", "briefUrl": "https://openagent3.xyz/skills/vt-hash-intel/agent.md" }, "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "documentation": { "source": "clawhub", "primaryDoc": "SKILL.md", "sections": [ { "title": "VT Hash Intel — VirusTotal Threat Intelligence", "body": "Check any IOC (Indicator of Compromise) against VirusTotal's 70+ security engines. Supports four IOC types:\n\nTypeExampleVT EndpointHash (MD5/SHA1/SHA256)44d88612fea8a8f36de82e1278abb02f/files/{hash}URLhttps://malicious-site.com/payload/urls/{id}Domainevil-domain.com/domains/{domain}IP Address1.2.3.4/ip_addresses/{ip}" }, { "title": "Prerequisites", "body": "VT_API_KEY environment variable must be set. Free key: https://www.virustotal.com/gui/my-apikey" }, { "title": "Step 1: Identify IOCs from user input", "body": "The script auto-detects IOC type:\n\nHash: 32 hex chars (MD5), 40 hex chars (SHA1), 64 hex chars (SHA256)\nURL: starts with http:// or https://\nIP: IPv4 format like 1.2.3.4\nDomain: everything else with dots and valid TLD (e.g. evil.com)\n\nThe script also handles defanged IOCs automatically:\n\nhxxp:// → http://\nhXXp:// → http://\nevil[.]com → evil.com\n1[.]2[.]3[.]4 → 1.2.3.4" }, { "title": "Step 2: Run the lookup", "body": "SKILL_DIR=\"$(dirname \"$(find /root/.openclaw -name 'SKILL.md' -path '*/vt-hash-intel/*' 2>/dev/null | head -1)\")\"\n\n# Single IOC (auto-detect type)\npython3 \"$SKILL_DIR/scripts/vt_lookup.py\" \n\n# Mixed batch (hashes + URLs + domains + IPs together)\npython3 \"$SKILL_DIR/scripts/vt_lookup.py\" \n\n# Force type if auto-detection is wrong\npython3 \"$SKILL_DIR/scripts/vt_lookup.py\" --type domain example.com" }, { "title": "Step 3: Parse and present results", "body": "The JSON output always contains these common fields:\n\nioc: the queried value\nioc_type: \"hash\" | \"url\" | \"domain\" | \"ip\"\ndetection_ratio: e.g. \"45/72\"\nthreat_level: \"clean\" | \"low\" | \"medium\" | \"high\"\nthreat_emoji: ✅ | ⚠️ | 🟠 | 🔴\ndetections: array of engines that flagged it\nreputation: VT community reputation score\nvt_link: direct link to the VT report\nerror: non-null if something went wrong\n\nHash-specific fields: sha256, md5, sha1, file_name, file_type, file_size_human, threat_label, popular_threat_name, crowdsourced_yara, sandbox_verdicts, sigma_rules\n\nURL-specific fields: url, final_url, title, categories\n\nDomain-specific fields: registrar, creation_date, dns_records, categories, popularity_ranks\n\nIP-specific fields: asn, as_owner, country, network" }, { "title": "Step 4: Format the response", "body": "IMPORTANT: Always present full contextual analysis regardless of threat level. Even when an IOC is \"clean\" (0 detections), the contextual information is extremely valuable for security analysis. A clean VT result does NOT mean an IOC is safe — it may be too new, targeted, or simply not yet submitted.\n\nFor hashes — present:\n\nVerdict line (emoji + level + detection ratio)\nFile info: name, type, size, first seen date\nThreat classification (if malicious): family name, threat label\nTop engine detections (if any)\nYARA rules, sandbox verdicts, Sigma rules (if any)\nVT link\nContextual analysis + recommendations\n\nFor URLs — present:\n\nVerdict line\nURL + final redirected URL (flag if different — could indicate redirect chain)\nPage title\nCategories assigned by security vendors\nTop detections (if any)\nVT link\nContextual analysis: analyze whether the URL pattern looks suspicious (random strings, suspicious TLD, known bad path patterns like /wp-content/uploads/*.exe)\nRecommendations\n\nFor domains — always present these even if clean:\n\nVerdict line\nRegistrar + creation date (flag if newly registered within last 30 days — common for phishing/malware)\nDNS records (A, AAAA, MX, NS, TXT records — helps identify hosting and infrastructure)\nCategories from security vendors\nPopularity ranking (low/no ranking on a queried domain can be suspicious)\nReputation score\nVT link\nContextual analysis: note if domain is very new, uses suspicious TLD, has low popularity, or uses known bulletproof hosting\nRecommendations\n\nFor IPs — always present these even if clean:\n\nVerdict line\nASN number + AS owner (helps identify hosting provider — flag known bulletproof hosters)\nCountry (geographic context)\nNetwork CIDR range\nReputation score\nVT link\nContextual analysis: note if IP belongs to a cloud provider, VPS, residential proxy, or known hosting provider. Flag countries commonly associated with malicious infrastructure if relevant.\nRecommendations\n\nThreat level classification (same for all types):\n\nMalicious DetectionsLevelEmoji0clean✅1–5low⚠️6–15medium🟠16+high🔴" }, { "title": "Step 5: Recommendations", "body": "Always provide actionable recommendations based on threat level AND context:\n\n🔴 high: Block immediately in firewall/EDR/proxy, sweep environment for related IOCs, investigate affected hosts, collect lateral IOCs (related hashes/domains/IPs from VT)\n🟠 medium: Likely malicious — isolate and investigate, submit to sandbox, check network IOCs\n⚠️ low: Possible false positive — verify with sandbox, check file/URL context and origin, monitor\n✅ clean: Present all available context (ASN, country, registrar, DNS, categories, reputation). Remind user: \"Clean on VT does not guarantee safety — the IOC may be too new, too targeted, or not yet submitted. Consider checking other threat intel sources (AbuseIPDB, Shodan, URLhaus, etc.).\"\n❓ not found: Never submitted to VT — does NOT mean safe. Suggest uploading file to VT, or checking AlienVault OTX, AbuseIPDB, URLhaus for additional coverage.\n\nFor batch results with mixed types, present a summary table first (IOC | type | verdict | detection ratio | key finding), then detailed reports for each item." }, { "title": "Error Handling", "body": "ErrorCauseResponseNotFoundErrorIOC not in VT DB\"Not found in VT. This does NOT mean it's safe.\"AuthenticationErrorBad/missing API key\"Check VT_API_KEY in your .env file.\"QuotaExceededErrorRate limit hit\"Rate limited. Wait and retry.\"UnrecognizedIOCCannot detect type\"Cannot identify this IOC type. Try --type flag.\"ConnectionErrorNetwork issue\"Cannot reach VT API. Check network.\"" }, { "title": "Examples", "body": "User: 帮我查一下这个hash 44d88612fea8a8f36de82e1278abb02f\nAgent: Detects MD5 hash → runs lookup → presents file threat report.\n\nUser: Check this URL: https://suspicious-site.com/download.exe\nAgent: Detects URL → runs lookup → presents URL analysis with categories and detections.\n\nUser: 这个域名安全吗?evil-domain.com\nAgent: Detects domain → runs lookup → presents domain report with DNS, WHOIS, and detections.\n\nUser: 查一下这些IOC:\n44d88612fea8a8f36de82e1278abb02f\nhxxps://bad-site[.]com/malware\nevil.com\n1.2.3.4\nAgent: Detects mixed types → runs batch lookup → presents summary table then individual reports sorted by severity." } ], "body": "VT Hash Intel — VirusTotal Threat Intelligence\n\nCheck any IOC (Indicator of Compromise) against VirusTotal's 70+ security engines. Supports four IOC types:\n\nType\tExample\tVT Endpoint\nHash (MD5/SHA1/SHA256)\t44d88612fea8a8f36de82e1278abb02f\t/files/{hash}\nURL\thttps://malicious-site.com/payload\t/urls/{id}\nDomain\tevil-domain.com\t/domains/{domain}\nIP Address\t1.2.3.4\t/ip_addresses/{ip}\nPrerequisites\n\nVT_API_KEY environment variable must be set. Free key: https://www.virustotal.com/gui/my-apikey\n\nInstructions\nStep 1: Identify IOCs from user input\n\nThe script auto-detects IOC type:\n\nHash: 32 hex chars (MD5), 40 hex chars (SHA1), 64 hex chars (SHA256)\nURL: starts with http:// or https://\nIP: IPv4 format like 1.2.3.4\nDomain: everything else with dots and valid TLD (e.g. evil.com)\n\nThe script also handles defanged IOCs automatically:\n\nhxxp:// → http://\nhXXp:// → http://\nevil[.]com → evil.com\n1[.]2[.]3[.]4 → 1.2.3.4\nStep 2: Run the lookup\nSKILL_DIR=\"$(dirname \"$(find /root/.openclaw -name 'SKILL.md' -path '*/vt-hash-intel/*' 2>/dev/null | head -1)\")\"\n\n# Single IOC (auto-detect type)\npython3 \"$SKILL_DIR/scripts/vt_lookup.py\" \n\n# Mixed batch (hashes + URLs + domains + IPs together)\npython3 \"$SKILL_DIR/scripts/vt_lookup.py\" \n\n# Force type if auto-detection is wrong\npython3 \"$SKILL_DIR/scripts/vt_lookup.py\" --type domain example.com\n\nStep 3: Parse and present results\n\nThe JSON output always contains these common fields:\n\nioc: the queried value\nioc_type: \"hash\" | \"url\" | \"domain\" | \"ip\"\ndetection_ratio: e.g. \"45/72\"\nthreat_level: \"clean\" | \"low\" | \"medium\" | \"high\"\nthreat_emoji: ✅ | ⚠️ | 🟠 | 🔴\ndetections: array of engines that flagged it\nreputation: VT community reputation score\nvt_link: direct link to the VT report\nerror: non-null if something went wrong\n\nHash-specific fields: sha256, md5, sha1, file_name, file_type, file_size_human, threat_label, popular_threat_name, crowdsourced_yara, sandbox_verdicts, sigma_rules\n\nURL-specific fields: url, final_url, title, categories\n\nDomain-specific fields: registrar, creation_date, dns_records, categories, popularity_ranks\n\nIP-specific fields: asn, as_owner, country, network\n\nStep 4: Format the response\n\nIMPORTANT: Always present full contextual analysis regardless of threat level. Even when an IOC is \"clean\" (0 detections), the contextual information is extremely valuable for security analysis. A clean VT result does NOT mean an IOC is safe — it may be too new, targeted, or simply not yet submitted.\n\nFor hashes — present:\n\nVerdict line (emoji + level + detection ratio)\nFile info: name, type, size, first seen date\nThreat classification (if malicious): family name, threat label\nTop engine detections (if any)\nYARA rules, sandbox verdicts, Sigma rules (if any)\nVT link\nContextual analysis + recommendations\n\nFor URLs — present:\n\nVerdict line\nURL + final redirected URL (flag if different — could indicate redirect chain)\nPage title\nCategories assigned by security vendors\nTop detections (if any)\nVT link\nContextual analysis: analyze whether the URL pattern looks suspicious (random strings, suspicious TLD, known bad path patterns like /wp-content/uploads/*.exe)\nRecommendations\n\nFor domains — always present these even if clean:\n\nVerdict line\nRegistrar + creation date (flag if newly registered within last 30 days — common for phishing/malware)\nDNS records (A, AAAA, MX, NS, TXT records — helps identify hosting and infrastructure)\nCategories from security vendors\nPopularity ranking (low/no ranking on a queried domain can be suspicious)\nReputation score\nVT link\nContextual analysis: note if domain is very new, uses suspicious TLD, has low popularity, or uses known bulletproof hosting\nRecommendations\n\nFor IPs — always present these even if clean:\n\nVerdict line\nASN number + AS owner (helps identify hosting provider — flag known bulletproof hosters)\nCountry (geographic context)\nNetwork CIDR range\nReputation score\nVT link\nContextual analysis: note if IP belongs to a cloud provider, VPS, residential proxy, or known hosting provider. Flag countries commonly associated with malicious infrastructure if relevant.\nRecommendations\n\nThreat level classification (same for all types):\n\nMalicious Detections\tLevel\tEmoji\n0\tclean\t✅\n1–5\tlow\t⚠️\n6–15\tmedium\t🟠\n16+\thigh\t🔴\nStep 5: Recommendations\n\nAlways provide actionable recommendations based on threat level AND context:\n\n🔴 high: Block immediately in firewall/EDR/proxy, sweep environment for related IOCs, investigate affected hosts, collect lateral IOCs (related hashes/domains/IPs from VT)\n🟠 medium: Likely malicious — isolate and investigate, submit to sandbox, check network IOCs\n⚠️ low: Possible false positive — verify with sandbox, check file/URL context and origin, monitor\n✅ clean: Present all available context (ASN, country, registrar, DNS, categories, reputation). Remind user: \"Clean on VT does not guarantee safety — the IOC may be too new, too targeted, or not yet submitted. Consider checking other threat intel sources (AbuseIPDB, Shodan, URLhaus, etc.).\"\n❓ not found: Never submitted to VT — does NOT mean safe. Suggest uploading file to VT, or checking AlienVault OTX, AbuseIPDB, URLhaus for additional coverage.\n\nFor batch results with mixed types, present a summary table first (IOC | type | verdict | detection ratio | key finding), then detailed reports for each item.\n\nError Handling\nError\tCause\tResponse\nNotFoundError\tIOC not in VT DB\t\"Not found in VT. This does NOT mean it's safe.\"\nAuthenticationError\tBad/missing API key\t\"Check VT_API_KEY in your .env file.\"\nQuotaExceededError\tRate limit hit\t\"Rate limited. Wait and retry.\"\nUnrecognizedIOC\tCannot detect type\t\"Cannot identify this IOC type. Try --type flag.\"\nConnectionError\tNetwork issue\t\"Cannot reach VT API. Check network.\"\nExamples\n\nUser: 帮我查一下这个hash 44d88612fea8a8f36de82e1278abb02f Agent: Detects MD5 hash → runs lookup → presents file threat report.\n\nUser: Check this URL: https://suspicious-site.com/download.exe Agent: Detects URL → runs lookup → presents URL analysis with categories and detections.\n\nUser: 这个域名安全吗?evil-domain.com Agent: Detects domain → runs lookup → presents domain report with DNS, WHOIS, and detections.\n\nUser: 查一下这些IOC: 44d88612fea8a8f36de82e1278abb02f hxxps://bad-site[.]com/malware evil.com 1.2.3.4 Agent: Detects mixed types → runs batch lookup → presents summary table then individual reports sorted by severity." }, "trust": { "sourceLabel": "tencent", "provenanceUrl": "https://clawhub.ai/Bryan-Project/vt-hash-intel", "publisherUrl": "https://clawhub.ai/Bryan-Project/vt-hash-intel", "owner": "Bryan-Project", "version": "1.0.2", "license": null, "verificationStatus": "Indexed source record" }, "links": { "detailUrl": "https://openagent3.xyz/skills/vt-hash-intel", "downloadUrl": "https://openagent3.xyz/downloads/vt-hash-intel", "agentUrl": "https://openagent3.xyz/skills/vt-hash-intel/agent", "manifestUrl": "https://openagent3.xyz/skills/vt-hash-intel/agent.json", "briefUrl": "https://openagent3.xyz/skills/vt-hash-intel/agent.md" } }