VirusTotal is a free online service that analyzes files and URLs for viruses, worms, trojans, and other kinds of malicious content using multiple antivirus engines and website scanners.
VirusTotal is a free online service that analyzes files and URLs for viruses, worms, trojans, and other kinds of malicious content using multiple antivirus engines and website scanners. On Nagent, Virustotal is exposed as a fully-configurable security & identity tools integration that any agent can call — 16 actions, and API key authentication. No code is required to wire Virustotal into your workflow — connect it once via the External Integrations panel and reuse it across every agent you build.
Agent builders use Virustotal to automate the kinds of tasks security & identity tools teams previously handled manually. Concrete examples — each one is a single agent step in Nagent — include:
Every action and trigger is paired with a structured input/output schema (visible in the sections below), so when you wire Virustotal into Helix — our agentic agent builder — the editor knows exactly what each step expects and produces. Configure once, deploy anywhere across your Nagent agents.
Every operation an agent can call against Virustotal, with input parameters and output schema. Drop these into any step of an agent built in Helix.
VIRUSTOTAL_ADD_COMMENTTool to add a comment to a VirusTotal resource (file, URL, domain, or IP address). Use after analyzing a resource to leave contextual feedback. Provide exactly one identifier per call.
Input parameters
URL resource identifier to comment on. Mutually exclusive with file, domain, and ip_address.
SHA-256 hash of the file to comment on. Mutually exclusive with url, domain, and ip_address.
The comment text to add.
Domain name to comment on. Mutually exclusive with file, url, and ip_address.
IP address to comment on. Mutually exclusive with file, url, and domain.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
VIRUSTOTAL_ADD_VOTETool to add a vote (harmless/malicious) to a VirusTotal resource. Use after reviewing analysis results to submit your verdict.
Input parameters
The vote data object to submit.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
VIRUSTOTAL_GET_ANALYSISTool to retrieve the analysis report of a file or URL submission. Use after obtaining an analysis ID to fetch its detailed report. Analysis results may be incomplete immediately after submission; poll until the report status is 'completed' before treating results as final.
Input parameters
The identifier of the analysis to retrieve
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
VIRUSTOTAL_GET_COMMENTSTool to retrieve the latest comments on a VirusTotal resource. Use when you need to review user-generated comments for a file, URL, domain, or IP after obtaining its identifier.
Input parameters
Sort order by comment date ('asc' or 'desc')
Number of comments to return per page (default: 10, max: 40)
Pagination cursor for fetching next page
Resource identifier to get comments for (SHA-256, URL, domain, or IP address)
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
VIRUSTOTAL_GET_DOMAIN_RELATIONSHIPSTool to retrieve relationship objects for a given domain. Use when you have a domain and need to explore its related entities.
Input parameters
Number of items to return per page (1-40). Defaults to server default if omitted.
Pagination cursor for fetching next page of results.
The domain name to query (e.g., 'example.com').
Type of relationship to retrieve. Allowed values: communicating_files, referrer_files, downloaded_files, resolutions, subdomains, categories, whois, ssl_certificates, detected_downloaded_samples, detected_referrer_samples.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
VIRUSTOTAL_GET_DOMAIN_REPORTTool to retrieve the analysis report of a domain. Use when you need detailed insight on a domain's reputation and analysis stats. No malicious signals on obscure or low-traffic domains may indicate limited analysis history rather than safety — treat sparse results as 'unknown', not 'safe'. Covers external OSINT only (reputation, malware, SSL posture); cannot analyze internal/private assets.
Input parameters
The domain name to retrieve the report for (e.g., 'example.com')
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
VIRUSTOTAL_GET_FILE_REPORTTool to retrieve the analysis report of a file. Use when you have a file's hash and need detailed scan metadata. Recently submitted files may return partial results; retry after a short delay before treating the report as final.
Input parameters
Unique file identifier (SHA-256, SHA-1, MD5 hash or scan_id)
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
VIRUSTOTAL_GET_IP_ADDRESS_RELATIONSHIPSTool to retrieve objects related to a specific IP address by relationship type. Use when you have an IP and need to explore connected files, URLs, or other entities.
Input parameters
The IPv4 or IPv6 address to query (e.g., '8.8.8.8').
Number of items to return per page (1-40). Defaults to server default if omitted.
Pagination cursor for fetching next page of results.
Type of relationship to retrieve. Allowed values: communicating_files, downloaded_files, communicating_urls.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
VIRUSTOTAL_GET_IP_ADDRESS_REPORTTool to retrieve the analysis report of an IP address. Use when you need detailed insight on an IP's reputation, ASN, country, and analysis stats. Low or zero detections indicate unknown risk, not safety — treat sparse data accordingly. Provides external OSINT only; insufficient as standalone compliance evidence.
Input parameters
The IP address to retrieve the report for (IPv4 or IPv6) Note: this parameter is named `ip`, not `ipAddress` (used by ABUSEIPDB_CHECK_IP); using the wrong name causes validation failure.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
VIRUSTOTAL_GET_METADATATool to retrieve VirusTotal metadata. Use when you need information about available privileges, relationships between resources (like files, domains, IPs, URLs), and supported antivirus engines.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
VIRUSTOTAL_GET_URL_REPORTTool to retrieve the analysis report of a URL. Use when you have a URL identifier (base64-url without padding) and need detailed scan results, reputation, and metadata. Results may be incomplete immediately after submission; retry with short delays if scan engines are still processing before treating the report as final.
Input parameters
Base64 URL identifier (RFC 4648 without padding) of the URL
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
VIRUSTOTAL_GET_VOTESTool to retrieve votes on files, URLs, domains, or IP addresses. Use when you need to view community votes for a given object.
Input parameters
Maximum number of votes to retrieve (default: 10, max: 40).
Pagination cursor for fetching subsequent pages of results.
Identifier of the object (e.g., file hash, URL-encoded URL, domain name, or IP address).
Type of the object to retrieve votes for: 'files', 'urls', 'domains', or 'ip_addresses'.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
VIRUSTOTAL_RESCAN_FILETool to re-analyze a previously submitted file. Use when you need updated analysis results after an initial scan.
Input parameters
Unique file identifier (SHA-256, SHA-1, or MD5 hash of the file) to re-analyze.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
VIRUSTOTAL_SCAN_URLTool to submit a URL for scanning. Use when you have a URL and need to submit it to VirusTotal to obtain an analysis ID for later retrieval. The returned analysis ID is preliminary — scanning engines may not have finished. Poll VIRUSTOTAL_GET_URL_REPORT with the ID using short delays to retrieve complete results.
Input parameters
The URL to be analyzed.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
VIRUSTOTAL_SEARCHTool to search for objects in the VirusTotal database. Use when locating files, URLs, domains, IPs, or comments matching a query. Supports pagination with limit and cursor.
Input parameters
Maximum number of items to return (1-40). Defaults to 10 if not specified.
Query string to search in the VirusTotal database. Can be a file hash, URL, domain, IP address, or an advanced search query.
Pagination cursor from a previous SEARCH response. Use to retrieve the next batch of results.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
VIRUSTOTAL_UPLOAD_FILETool to upload a file for scanning. Use when you have binary file content ready to submit for VirusTotal analysis.
Input parameters
Binary content of the file to upload.
Optional filename to use for the uploaded file.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
No publicly available marketplace agent is found using this tool yet. There are 67 agents privately built on Nagent that already use Virustotal.
Build on Nagent
Connect Virustotal to any Nagent agent in minutes — no API key management, no boilerplate. Just configure and deploy.
The five questions agent builders ask before adopting a new integration.
Open the External Integrations panel inside Nagent (app.nagent.ai/externalIntegration), find Virustotal, and click "Connect Now." You'll authenticate with an API key — Nagent handles credential storage and refresh automatically. Once connected, Virustotal is available to any agent in your workspace.
No. Nagent provides no-code integration for every tool. Once Virustotal is connected, you configure its 16 actions directly in the agent builder UI — no API calls, no boilerplate, no schema management.
Helix — Nagent's agentic agent builder — lets you drop Virustotal steps into any workflow visually. Pick an action (e.g., one of those listed above), fill in the inputs (Helix knows the required vs. optional schema for each parameter), and connect it to upstream/downstream steps. Triggers run as the entry point of an agent, so when a Virustotal event fires, the agent kicks off automatically.
Every Virustotal action and trigger ships with a fully-typed schema — input parameters with name, type, required flag, and description, plus the output payload shape. The schemas are documented in the sections above. Helix uses these schemas to validate your configuration at build time and to type-check the data flowing between steps.
Yes. While Virustotal ships with 16 pre-built security & identity tools actions, you can layer custom logic around them inside Helix — pre/post-processing steps, conditional branches, retries, or stitching Virustotal together with other connected tools. For deeper customization, talk to our team about Nagent's Agentic AI Lab — forward-deployed engineers who build Virustotal-based workflows tailored to your business.