# Send VirusTotal Hash Analyzer to your agent
Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.
## Fast path
- Download the package from Yavira.
- Extract it into a folder your agent can access.
- Paste one of the prompts below and point your agent at the extracted folder.
## Suggested prompts
### New install

```text
I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete.
```
### Upgrade existing

```text
I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run.
```
## Machine-readable fields
```json
{
  "schemaVersion": "1.0",
  "item": {
    "slug": "vt-hash-intel",
    "name": "VirusTotal Hash Analyzer",
    "source": "tencent",
    "type": "skill",
    "category": "通讯协作",
    "sourceUrl": "https://clawhub.ai/Bryan-Project/vt-hash-intel",
    "canonicalUrl": "https://clawhub.ai/Bryan-Project/vt-hash-intel",
    "targetPlatform": "OpenClaw"
  },
  "install": {
    "downloadUrl": "/downloads/vt-hash-intel",
    "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=vt-hash-intel",
    "sourcePlatform": "tencent",
    "targetPlatform": "OpenClaw",
    "packageFormat": "ZIP package",
    "primaryDoc": "SKILL.md",
    "includedAssets": [
      "SKILL.md",
      "_meta.json",
      "scripts/vt_lookup.py"
    ],
    "downloadMode": "redirect",
    "sourceHealth": {
      "source": "tencent",
      "slug": "vt-hash-intel",
      "status": "healthy",
      "reason": "direct_download_ok",
      "recommendedAction": "download",
      "checkedAt": "2026-05-01T17:30:04.166Z",
      "expiresAt": "2026-05-08T17:30:04.166Z",
      "httpStatus": 200,
      "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=vt-hash-intel",
      "contentType": "application/zip",
      "probeMethod": "head",
      "details": {
        "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=vt-hash-intel",
        "contentDisposition": "attachment; filename=\"vt-hash-intel-1.0.2.zip\"",
        "redirectLocation": null,
        "bodySnippet": null,
        "slug": "vt-hash-intel"
      },
      "scope": "item",
      "summary": "Item download looks usable.",
      "detail": "Yavira can redirect you to the upstream package for this item.",
      "primaryActionLabel": "Download for OpenClaw",
      "primaryActionHref": "/downloads/vt-hash-intel"
    },
    "validation": {
      "installChecklist": [
        "Use the Yavira download entry.",
        "Review SKILL.md after the package is downloaded.",
        "Confirm the extracted package contains the expected setup assets."
      ],
      "postInstallChecks": [
        "Confirm the extracted package includes the expected docs or setup files.",
        "Validate the skill or prompts are available in your target agent workspace.",
        "Capture any manual follow-up steps the agent could not complete."
      ]
    }
  },
  "links": {
    "detailUrl": "https://openagent3.xyz/skills/vt-hash-intel",
    "downloadUrl": "https://openagent3.xyz/downloads/vt-hash-intel",
    "agentUrl": "https://openagent3.xyz/skills/vt-hash-intel/agent",
    "manifestUrl": "https://openagent3.xyz/skills/vt-hash-intel/agent.json",
    "briefUrl": "https://openagent3.xyz/skills/vt-hash-intel/agent.md"
  }
}
```
## Documentation

### VT Hash Intel — VirusTotal Threat Intelligence

Check any IOC (Indicator of Compromise) against VirusTotal's 70+ security engines. Supports four IOC types:

TypeExampleVT EndpointHash (MD5/SHA1/SHA256)44d88612fea8a8f36de82e1278abb02f/files/{hash}URLhttps://malicious-site.com/payload/urls/{id}Domainevil-domain.com/domains/{domain}IP Address1.2.3.4/ip_addresses/{ip}

### Prerequisites

VT_API_KEY environment variable must be set. Free key: https://www.virustotal.com/gui/my-apikey

### Step 1: Identify IOCs from user input

The script auto-detects IOC type:

Hash: 32 hex chars (MD5), 40 hex chars (SHA1), 64 hex chars (SHA256)
URL: starts with http:// or https://
IP: IPv4 format like 1.2.3.4
Domain: everything else with dots and valid TLD (e.g. evil.com)

The script also handles defanged IOCs automatically:

hxxp:// → http://
hXXp:// → http://
evil[.]com → evil.com
1[.]2[.]3[.]4 → 1.2.3.4

### Step 2: Run the lookup

SKILL_DIR="$(dirname "$(find /root/.openclaw -name 'SKILL.md' -path '*/vt-hash-intel/*' 2>/dev/null | head -1)")"

# Single IOC (auto-detect type)
python3 "$SKILL_DIR/scripts/vt_lookup.py" <ioc>

# Mixed batch (hashes + URLs + domains + IPs together)
python3 "$SKILL_DIR/scripts/vt_lookup.py" <hash> <url> <domain> <ip>

# Force type if auto-detection is wrong
python3 "$SKILL_DIR/scripts/vt_lookup.py" --type domain example.com

### Step 3: Parse and present results

The JSON output always contains these common fields:

ioc: the queried value
ioc_type: "hash" | "url" | "domain" | "ip"
detection_ratio: e.g. "45/72"
threat_level: "clean" | "low" | "medium" | "high"
threat_emoji: ✅ | ⚠️ | 🟠 | 🔴
detections: array of engines that flagged it
reputation: VT community reputation score
vt_link: direct link to the VT report
error: non-null if something went wrong

Hash-specific fields: sha256, md5, sha1, file_name, file_type, file_size_human, threat_label, popular_threat_name, crowdsourced_yara, sandbox_verdicts, sigma_rules

URL-specific fields: url, final_url, title, categories

Domain-specific fields: registrar, creation_date, dns_records, categories, popularity_ranks

IP-specific fields: asn, as_owner, country, network

### Step 4: Format the response

IMPORTANT: Always present full contextual analysis regardless of threat level. Even when an IOC is "clean" (0 detections), the contextual information is extremely valuable for security analysis. A clean VT result does NOT mean an IOC is safe — it may be too new, targeted, or simply not yet submitted.

For hashes — present:

Verdict line (emoji + level + detection ratio)
File info: name, type, size, first seen date
Threat classification (if malicious): family name, threat label
Top engine detections (if any)
YARA rules, sandbox verdicts, Sigma rules (if any)
VT link
Contextual analysis + recommendations

For URLs — present:

Verdict line
URL + final redirected URL (flag if different — could indicate redirect chain)
Page title
Categories assigned by security vendors
Top detections (if any)
VT link
Contextual analysis: analyze whether the URL pattern looks suspicious (random strings, suspicious TLD, known bad path patterns like /wp-content/uploads/*.exe)
Recommendations

For domains — always present these even if clean:

Verdict line
Registrar + creation date (flag if newly registered within last 30 days — common for phishing/malware)
DNS records (A, AAAA, MX, NS, TXT records — helps identify hosting and infrastructure)
Categories from security vendors
Popularity ranking (low/no ranking on a queried domain can be suspicious)
Reputation score
VT link
Contextual analysis: note if domain is very new, uses suspicious TLD, has low popularity, or uses known bulletproof hosting
Recommendations

For IPs — always present these even if clean:

Verdict line
ASN number + AS owner (helps identify hosting provider — flag known bulletproof hosters)
Country (geographic context)
Network CIDR range
Reputation score
VT link
Contextual analysis: note if IP belongs to a cloud provider, VPS, residential proxy, or known hosting provider. Flag countries commonly associated with malicious infrastructure if relevant.
Recommendations

Threat level classification (same for all types):

Malicious DetectionsLevelEmoji0clean✅1–5low⚠️6–15medium🟠16+high🔴

### Step 5: Recommendations

Always provide actionable recommendations based on threat level AND context:

🔴 high: Block immediately in firewall/EDR/proxy, sweep environment for related IOCs, investigate affected hosts, collect lateral IOCs (related hashes/domains/IPs from VT)
🟠 medium: Likely malicious — isolate and investigate, submit to sandbox, check network IOCs
⚠️ low: Possible false positive — verify with sandbox, check file/URL context and origin, monitor
✅ clean: Present all available context (ASN, country, registrar, DNS, categories, reputation). Remind user: "Clean on VT does not guarantee safety — the IOC may be too new, too targeted, or not yet submitted. Consider checking other threat intel sources (AbuseIPDB, Shodan, URLhaus, etc.)."
❓ not found: Never submitted to VT — does NOT mean safe. Suggest uploading file to VT, or checking AlienVault OTX, AbuseIPDB, URLhaus for additional coverage.

For batch results with mixed types, present a summary table first (IOC | type | verdict | detection ratio | key finding), then detailed reports for each item.

### Error Handling

ErrorCauseResponseNotFoundErrorIOC not in VT DB"Not found in VT. This does NOT mean it's safe."AuthenticationErrorBad/missing API key"Check VT_API_KEY in your .env file."QuotaExceededErrorRate limit hit"Rate limited. Wait and retry."UnrecognizedIOCCannot detect type"Cannot identify this IOC type. Try --type flag."ConnectionErrorNetwork issue"Cannot reach VT API. Check network."

### Examples

User: 帮我查一下这个hash 44d88612fea8a8f36de82e1278abb02f
Agent: Detects MD5 hash → runs lookup → presents file threat report.

User: Check this URL: https://suspicious-site.com/download.exe
Agent: Detects URL → runs lookup → presents URL analysis with categories and detections.

User: 这个域名安全吗？evil-domain.com
Agent: Detects domain → runs lookup → presents domain report with DNS, WHOIS, and detections.

User: 查一下这些IOC:
44d88612fea8a8f36de82e1278abb02f
hxxps://bad-site[.]com/malware
evil.com
1.2.3.4
Agent: Detects mixed types → runs batch lookup → presents summary table then individual reports sorted by severity.
## Trust
- Source: tencent
- Verification: Indexed source record
- Publisher: Bryan-Project
- Version: 1.0.2
## Source health
- Status: healthy
- Item download looks usable.
- Yavira can redirect you to the upstream package for this item.
- Health scope: item
- Reason: direct_download_ok
- Checked at: 2026-05-01T17:30:04.166Z
- Expires at: 2026-05-08T17:30:04.166Z
- Recommended action: Download for OpenClaw
## Links
- [Detail page](https://openagent3.xyz/skills/vt-hash-intel)
- [Send to Agent page](https://openagent3.xyz/skills/vt-hash-intel/agent)
- [JSON manifest](https://openagent3.xyz/skills/vt-hash-intel/agent.json)
- [Markdown brief](https://openagent3.xyz/skills/vt-hash-intel/agent.md)
- [Download page](https://openagent3.xyz/downloads/vt-hash-intel)