Kaspersky OpenTIP MCP Server

Official

Overview Schema Related Servers Score Discussions

search_hash

Read-only

Check file safety by analyzing hash values (MD5, SHA1, SHA256) against Kaspersky's threat intelligence database to identify potential malware or security risks.

Instructions

Get threat intelligence information about a file by hash (md5, sha1, sha256)

Input Schema

TableJSON Schema

Name	Required	Description	Default
`file_hash`	Yes

Output Schema

TableJSON Schema

Name	Required	Description	Default
`result`	Yes

Implementation Reference

opentip-mcp/opentip.py:94-113 (handler)

The main handler function for the 'search_hash' MCP tool. It validates the input hash using a regex pattern, prepares parameters, and calls the opentip_request helper to query the OpenTIP API. The @mcp.tool decorator registers it as an MCP tool with description and annotations.

@mcp.tool(
    description="Get threat intelligence information about a file by hash (md5, sha1, sha256)",
    annotations=ToolAnnotations(
        title="Investigate a file by hash",
        readOnlyHint=True,
        openWorldHint=True,
    ),
)
async def search_hash(file_hash: str) -> dict[str, Any] | None:
    """Get threat intelligence information about a file by hash (md5, sha1, sha256)

    Args:
        file_hash: hash that you want to investigate
    """

    if not hash_pattern.match(file_hash):
        return {"result": "error", "error_message": "Invalid hash format. Please provide a valid md5, sha1, or sha256 hash."}

    params = {"request": file_hash}
    return await opentip_request(Endpoints.search_hash, "get", params)

opentip-mcp/opentip.py:53-92 (helper)

Shared helper function that performs HTTP requests to the OpenTIP API, handles authentication, errors, and returns JSON responses or error dicts. Called by search_hash with endpoint Endpoints.search_hash.

async def opentip_request(
    endpoint: str,
    request_type: RequestType = "get",
    params: Optional[dict[str, Any]] = None,
    content: Optional[bytes] = None,
    headers: Optional[dict[str, str]] = None,
) -> dict[str, Any]:
    """Make a request to the OpenTIP API with proper error handling."""
    headers = headers or {}
    headers = {
        "user-agent": "opentip-mcp-client",
        "x-api-key": OPENTIP_API_KEY,
        **headers
    }

    async with httpx.AsyncClient() as client:
        try:
            url = f"{OPENTIP_API_BASE}{endpoint}"
            if request_type == "get":
                response = await client.get(
                    url, headers=headers, params=params, timeout=OPENTIP_API_TIMEOUT
                )
            elif request_type == "post":
                response = await client.post(
                    url, headers=headers, params=params, content=content, timeout=OPENTIP_API_TIMEOUT
                )
            response.raise_for_status()
            return response.json()
        except httpx.HTTPStatusError as e:
            if e.response.status_code == 400:
                return {"result": "error", "error_message": "Invalid parameters. Please check your input and try again."}
            elif e.response.status_code == 401:
                return {"result": "error", "error_message": "Authentication failed. Please ensure that you have provided the correct credentials and try again."}
            elif e.response.status_code == 403:
                return {"result": "error", "error_message": "Quota or request limit exceeded. Check your quota and limits and try again."}
            else:
                return {"result": "error", "error_message": str(e)}
        except Exception as e:  # noqa
            return {"result": "error", "error_message": str(e)}

opentip-mcp/opentip.py:44-51 (helper)

StrEnum defining the API endpoint paths, including 'search_hash' used by the tool handler.

class Endpoints(StrEnum):
    search_hash = "search/hash"
    search_ip = "search/ip"
    search_domain = "search/domain"
    search_url = "search/url"
    analyze_file = "scan/file"
    get_analysis_results = "getresult/file"

opentip-mcp/opentip.py:30-30 (helper)
Regex pattern used by search_hash for validating MD5 (32 hex), SHA1 (40 hex), SHA256 (64 hex) hashes.
```
hash_pattern = re.compile(r'^(0x)?(?:[a-fA-F0-9]{32}|[a-fA-F0-9]{40}|[a-fA-F0-9]{64})$')
```

Tool Definition Quality

A3.6/5.0

Behavior3/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

Annotations already provide readOnlyHint=true and openWorldHint=true, indicating safe read operations with possible incomplete results. The description adds value by specifying the hash types accepted (md5, sha1, sha256) and the type of information returned (threat intelligence), but doesn't elaborate on rate limits, authentication needs, or result format beyond what annotations cover.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness5/5

Is the description appropriately sized, front-loaded, and free of redundancy?

Single sentence efficiently conveys purpose, resource, and acceptable inputs. No wasted words, perfectly front-loaded with the core functionality. Every element earns its place.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness4/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

Given the tool has annotations covering safety (readOnlyHint) and result completeness (openWorldHint), plus an output schema exists, the description provides adequate context. It specifies the hash types and intelligence focus, though could benefit from mentioning result scope or limitations given the openWorldHint.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters3/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

With 0% schema description coverage and only one parameter, the description adds meaningful context by specifying acceptable hash types (md5, sha1, sha256) and that it's for files. However, it doesn't provide format examples, length requirements, or validation rules for the file_hash parameter.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose4/5

Does the description clearly state what the tool does and how it differs from similar tools?

The description clearly states the tool's purpose: 'Get threat intelligence information about a file by hash' with specific hash types listed (md5, sha1, sha256). It distinguishes from sibling tools like search_domain/search_ip by specifying file hash lookup. However, it doesn't explicitly differentiate from analyze_file which might also process files.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines3/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

The description implies usage context (when you have a file hash and want threat intelligence), but doesn't explicitly state when to use this vs analyze_file or get_full_analysis_result. No guidance on when NOT to use this tool or clear alternatives are provided.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Other Tools

Latest Blog Posts

Tool Definition Quality Score (TDQS)
By punkpeye on April 3, 2026.
mcp
The Hackers Who Tracked My Sleep Cycle
By punkpeye on March 26, 2026.
security
Open Source Has a Bot Problem
By punkpeye on March 19, 2026.
open source

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/KasperskyLab/threat-intelligence'

If you have feedback or need assistance with the MCP directory API, please join our Discord server