Google Threat Intelligence MCP Server

get_entities_related_to_an_url

Identify entities related to a URL by specifying relationship types like associated campaigns, malware families, or contacted infrastructure.

Instructions

Retrieve entities related to the the given URL.

The following table shows a summary of available relationships for URL objects.

Relationship	Description	Return type
analyses	Analyses for the URL.	analyse
associations	URL's associated objects (reports, campaigns, IoC collections, malware families, software toolkits, vulnerabilities, threat-actors), without filtering by the associated object type.	collection
campaigns	Campaigns associated to the URL.	collection
collections	IoC Collections associated to the URL.	collection
comments	Community posted comments about the URL.	comment
communicating_files	Files that communicate with a given URL when they're executed.	file
contacted_domains	Domains from which the URL loads some kind of resource.	domain
contacted_ips	IPs from which the URL loads some kind of resource.	ip_address
downloaded_files	Files downloaded from the URL.	file
embedded_js_files	JS files embedded in a URL.	file
graphs	Graphs including the URL.	graph
http_response_contents	HTTP response contents from the URL.	file
last_serving_ip_address	Last IP address that served the URL.	ip_address
malware_families	Malware families associated to the URL.	collection
memory_pattern_parents	Files having a domain as string on memory during sandbox execution.	file
network_location	Domain or IP for the URL.	domain or ip_address
parent_resource_urls	Returns the URLs where this URL has been loaded as resource.	url
redirecting_urls	URLs that redirected to the given URL.	url
redirects_to	URLs that this url redirects to.	url
referrer_files	Files containing the URL.	file
referrer_urls	URLs referring the URL.	url
related_collections	Returns the Collections of the parent Domains or IPs of this URL.	collection
related_comments	Community posted comments in the URL's related objects.	comment
related_reports	Reports that are directly and indirectly related to the URL.	collection
related_threat_actors	URL's related threat actors.	collection
reports	Reports directly associated to the URL.	collection
software_toolkits	Software and Toolkits associated to the URL.	collection
submissions	URL's submissions.	url
urls_related_by_tracker_id	URLs that share the same tracker ID.	url
user_votes	URL's votes made by current signed-in user.	vote
votes	Votes for the URL.	vote
vulnerabilities	Vulnerabilities associated to the URL.	collection

Args: url (required): URL to analyse. relationship_name (required): Relationship name. descriptors_only (required): Bool. Must be True when the target object type is one of file, domain, url, ip_address or collection. limit: Limit the number of objects to retrieve. 10 by default. Returns: List of entities related to the URL.

Input Schema

TableJSON Schema

Name	Required	Description	Default
`url`	Yes
`relationship_name`	Yes
`descriptors_only`	Yes
`limit`	No
`api_key`	No

Output Schema

TableJSON Schema

Name	Required	Description	Default
`result`	Yes

Implementation Reference

gti_mcp/tools/urls.py:93-159 (handler)

The main handler function for the 'get_entities_related_to_an_url' tool. Validates the relationship_name against URL_RELATIONSHIPS, converts the URL to base64, fetches related entities via VirusTotal client, and returns sanitized results.

@server.tool()
async def get_entities_related_to_an_url(
    url: str, relationship_name: str, descriptors_only: bool, ctx: Context, limit: int = 10, api_key: str = None
) -> list[dict[str, typing.Any]]:
  """Retrieve entities related to the the given URL.

    The following table shows a summary of available relationships for URL objects.

    | Relationship            | Description                                                    | Return type  |
    | ----------------------- | -------------------------------------------------------------- | ------------ | 
    | analyses                | Analyses for the URL.                                          | analyse      |
    | associations            | URL's associated objects (reports, campaigns, IoC collections, malware families, software toolkits, vulnerabilities, threat-actors), without filtering by the associated object type. | collection |
    | campaigns               | Campaigns associated to the URL.                               | collection   |
    | collections             | IoC Collections associated to the URL.                         | collection   |
    | comments                | Community posted comments about the URL.                       | comment      |
    | communicating_files     | Files that communicate with a given URL when they're executed. | file         |
    | contacted_domains       | Domains from which the URL loads some kind of resource.        | domain       |
    | contacted_ips           | IPs from which the URL loads some kind of resource.            | ip_address   |
    | downloaded_files        | Files downloaded from the URL.                                 | file         |
    | embedded_js_files       | JS files embedded in a URL.                                    | file         |
    | graphs                  | Graphs including the URL.                                      | graph        |
    | http_response_contents  | HTTP response contents from the URL.                           | file         |
    | last_serving_ip_address | Last IP address that served the URL.                           | ip_address   |
    | malware_families        | Malware families associated to the URL.                        | collection   |
    | memory_pattern_parents  | Files having a domain as string on memory during sandbox execution. | file    |
    | network_location        | Domain or IP for the URL.                                      | domain or ip_address |
    | parent_resource_urls    | Returns the URLs where this URL has been loaded as resource.   | url          |
    | redirecting_urls        | URLs that redirected to the given URL.                         | url          |
    | redirects_to            | URLs that this url redirects to.                               | url          |
    | referrer_files          | Files containing the URL.                                      | file         |
    | referrer_urls           | URLs referring the URL.                                        | url          |
    | related_collections     | Returns the Collections of the parent Domains or IPs of this URL. | collection  |
    | related_comments        | Community posted comments in the URL's related objects.        | comment      |
    | related_reports         | Reports that are directly and indirectly related to the URL.   | collection   |
    | related_threat_actors   | URL's related threat actors.                                   | collection   |
    | reports                 | Reports directly associated to the URL.                        | collection   |
    | software_toolkits       | Software and Toolkits associated to the URL.                   | collection   |
    | submissions             | URL's submissions.                                             | url          |
    | urls_related_by_tracker_id | URLs that share the same tracker ID.                        | url          |
    | user_votes          | URL's votes made by current signed-in user.                        | vote         |
    | votes                  | Votes for the URL.                                              | vote         |
    | vulnerabilities        | Vulnerabilities associated to the URL.                          | collection   |

    Args:
      url (required): URL to analyse.
      relationship_name (required): Relationship name.
      descriptors_only (required): Bool. Must be True when the target object type is one of file, domain, url, ip_address or collection.
      limit: Limit the number of objects to retrieve. 10 by default.
    Returns:
      List of entities related to the URL.
  """
  if not relationship_name in URL_RELATIONSHIPS:
    return {
       "error": f"Relationship {relationship_name} does not exist. "
                f"Available relationships are: {','.join(URL_RELATIONSHIPS)}"
    }

  url_id = url_to_base64(url)
  async with vt_client(ctx, api_key=api_key) as client:
    res = await utils.fetch_object_relationships(
        client,
        "urls", 
        url_id,
        relationships=[relationship_name],
        descriptors_only=descriptors_only,
        limit=limit)
  return utils.sanitize_response(res.get(relationship_name, []))

gti_mcp/tools/urls.py:23-56 (schema)

Schema: defines the list of valid relationship names that can be passed to the tool. The handler validates against this list.

URL_RELATIONSHIPS = [
    "analyses",
    "associations",
    "campaigns",
    "collections",
    "comments",
    "communicating_files",
    "contacted_domains",
    "contacted_ips",
    "downloaded_files",
    "embedded_js_files",
    "graphs",
    "http_response_contents",
    "last_serving_ip_address",
    "malware_families",
    "memory_pattern_parents",
    "network_location",
    "parent_resource_urls",
    "redirecting_urls",
    "redirects_to",
    "referrer_files",
    "referrer_urls",
    "related_collections",
    "related_comments",
    "related_reports",
    "related_threat_actors",
    "reports",
    "software_toolkits",
    "submissions",
    "urls_related_by_tracker_id",
    "user_votes",
    "votes",
    "vulnerabilities",
]

gti_mcp/tools/urls.py:93-93 (registration)
Registration: the @server.tool() decorator registers this function as an MCP tool with the server.
```
@server.tool()
```

gti_mcp/tools/urls.py:63-69 (helper)

Helper function that converts a URL string to base64 (without padding) as required by the Google Threat Intelligence API for object identifiers.

def url_to_base64(url: str) -> str:
  """Converts the URL into base64.

  Without padding, as required by the Google Threat Intelligence API.
  """
  b = base64.b64encode(url.encode('utf-8'))
  return b.decode('utf-8').rstrip("=")

Tool Definition Quality

A3.7/5.0

Behavior2/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

With no annotations provided, the description carries the full burden of disclosing behavioral traits. It describes the return type ('List of entities') and lists relationships but does not mention whether the operation is read-only, destructive, requires authentication (despite an api_key parameter), or has side effects. The term 'Retrieve' implies reading, but explicit confirmation is missing.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness4/5

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is front-loaded with the purpose but then includes a lengthy table of relationships. While the table is structured and informative, it could be more concise. A minor typo ('the the') reduces clarity. Overall, the structure is logical and the table aids understanding, but verbosity slightly lowers the score.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness4/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

Given that an output schema exists, the description does not need to detail return values beyond 'List of entities related to the URL.' It covers the relationship options comprehensively, which is crucial for this tool. However, it lacks context on authentication (api_key) and rate limits. For a query tool with well-documented relationships, this is nearly complete.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters4/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

Schema description coverage is 0%, so the description must explain parameters. It describes 'url', 'relationship_name', 'descriptors_only' (with a condition), and 'limit' (with default). However, the 'api_key' parameter is not mentioned at all. Despite this omission, the description adds significant meaning beyond the schema for the other three required parameters and the optional limit.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose5/5

Does the description clearly state what the tool does and how it differs from similar tools?

The description states 'Retrieve entities related to the the given URL.' This clearly indicates the action (retrieve) and the resource (entities related to a URL). The tool name itself distinguishes it from siblings that target other entity types (domain, IP, file, etc.), so the purpose is unambiguous and specific.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines3/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

The description does not explicitly state when to use this tool versus alternatives. While the tool name and sibling tools imply it is for URLs specifically, there is no guidance on contexts where it should be used or avoided, nor any mention of prerequisites or custom use cases. The agent must infer usage from naming alone.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Other Tools

Latest Blog Posts

Lightport: Open-Sourcing Glama's AI Gateway
By punkpeye on April 27, 2026.
open source
OpenAI
Tool Definition Quality Score (TDQS)
By punkpeye on April 3, 2026.
mcp
The Hackers Who Tracked My Sleep Cycle
By punkpeye on March 26, 2026.
security

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/googleSandy/gti-mcp-standalone'

If you have feedback or need assistance with the MCP directory API, please join our Discord server