Skip to main content
Glama
Sentinel-One

Purple AI MCP Server

Official
by Sentinel-One

threat_intel_by_url

Query VirusTotal to retrieve comprehensive threat intelligence and reputation for any URL, including detection results from 90+ security vendors.

Instructions

Get threat intelligence and reputation information for a URL from VirusTotal/Google Threat Intelligence.

This tool queries VirusTotal's database to retrieve comprehensive threat intelligence about a URL, including reputation scores, detection results, and historical data.

What this tool provides:

  • URL reputation and detection status from 90+ security vendors

  • Historical analysis results

  • Associated files and malware

  • Redirection chains

  • SSL certificate information

  • WHOIS data for the domain

  • Related IPs and domains

  • Community comments and votes

  • Threat categories (phishing, malware, etc.)

Common Use Cases:

  • Email security: Check if URLs in emails are malicious

  • Web filtering: Validate URL safety before allowing access

  • Incident response: Investigate suspicious URLs from logs

  • Phishing detection: Identify phishing sites

  • Threat hunting: Research known malicious infrastructure

Args: url: The URL to query (must be a valid HTTP/HTTPS URL).

Returns: JSON string containing comprehensive threat intelligence data including: - Detection statistics from security vendors - URL categories and tags - Last analysis timestamp - Reputation score - Related files and domains - SSL certificate details - Redirection information

Examples: "https://example.com/suspicious-page" "http://malicious-domain.test/payload.exe" "https://phishing-site.example/login"

Notes: - Requires a valid VirusTotal API key (PURPLEMCP_VT_API_KEY environment variable) - VirusTotal may scan the URL if it hasn't been analyzed recently - Results include historical data and may not reflect current state - Scanning a URL will visit the site, which may have privacy implications - Private API keys have higher rate limits and additional features - When a URL is not found, returns a structured JSON response with found=false

Raises: ThreatIntelligenceClientError: If there's an error communicating with the API. RuntimeError: If the API key is not configured.

Input Schema

TableJSON Schema
NameRequiredDescriptionDefault
urlYes

Output Schema

TableJSON Schema
NameRequiredDescriptionDefault
resultYes
Behavior5/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

No annotations provided, but description thoroughly discloses API key requirement, potential URL scanning, privacy implications, rate limits, return structure for not found, and errors.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness4/5

Is the description appropriately sized, front-loaded, and free of redundancy?

Long but well-organized into clear sections (what it provides, use cases, args, returns, examples, notes). Front-loaded with core purpose, though could be slightly more concise.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness5/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

Complete for a single-parameter tool with output schema existence. Describes output structure, common use cases, error conditions, and privacy implications.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters4/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

Only one parameter (url) with 0% schema coverage. Description adds valid URL format requirement and provides examples, significantly compensating for schema gap.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose5/5

Does the description clearly state what the tool does and how it differs from similar tools?

The description clearly states 'Get threat intelligence and reputation information for a URL' and distinguishes from sibling tools like threat_intel_by_domain and threat_intel_by_hash by specifying it's for URLs.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines4/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

Provides common use cases (email security, web filtering, etc.) and examples, but doesn't explicitly say when not to use or compare to siblings for URLs vs domains.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Other Tools

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/Sentinel-One/purple-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server