Google Threat Intelligence MCP Server

update_iocs_in_collection

Add or remove indicators of compromise (IOCs) to or from a threat intelligence collection by specifying the collection ID, IOC type, and operation.

Instructions

Updates (add or remove) Indicators of Compromise (IOCs) to a collection. Args: id (required): The ID of the collection to update. relationship (required): The type of relationship to add. Can be "domains", "files", "ip_addresses", or "urls". iocs (required): List of IOCs to add to the collection. For "urls", these are the full URLs. For other types, they are the identifiers (hashes for files, domain names for domains, etc.). operation (required): The operation to perform. Can be "add" or "remove".

Returns: A string indicating the success or failure of the operation.

Input Schema

TableJSON Schema

Name	Required	Description	Default
`id`	Yes
`relationship`	Yes
`iocs`	Yes
`operation`	Yes
`api_key`	No

Output Schema

TableJSON Schema

Name	Required	Description	Default
`result`	Yes

Implementation Reference

gti_mcp/tools/collections.py:493-493 (registration)
The `@server.tool()` decorator registers `update_iocs_in_collection` as an MCP tool on the FastMCP server instance.
```
@server.tool()
```

gti_mcp/tools/collections.py:494-543 (handler)

The `update_iocs_in_collection` async function implements the tool logic: validates the relationship type, constructs IOC payload items (using 'url' key for URLs, 'id' key for others), and performs add/remove operations via POST/DELETE API calls to /collections/{id}/{relationship}.

async def update_iocs_in_collection(
    id: str,
    ctx: Context,
    relationship: str,
    iocs: typing.List[str],
    operation: str,
    api_key: str = None,
) -> str:
  """Updates (add or remove) Indicators of Compromise (IOCs) to a collection.
  Args:
    id (required): The ID of the collection to update.
    relationship (required): The type of relationship to add. Can be "domains", "files",
      "ip_addresses", or "urls".
    iocs (required): List of IOCs to add to the collection. For "urls", these
      are the full URLs. For other types, they are the identifiers (hashes for
      files, domain names for domains, etc.).
    operation (required): The operation to perform. Can be "add" or "remove".

  Returns:
    A string indicating the success or failure of the operation.
  """
  async with vt_client(ctx, api_key=api_key) as client:

    singular_type_map = {
        "domains": "domain",
        "files": "file",
        "ip_addresses": "ip_address",
        "urls": "url",
    }

    if relationship not in singular_type_map:
      return f"Error: Invalid IOC type '{relationship}'. Must be one of {list(singular_type_map.keys())}"

    singular_type = singular_type_map[relationship]

    if relationship == "urls":
      items = [{"type": singular_type, "url": ioc} for ioc in iocs]
    else:
      items = [{"type": singular_type, "id": ioc} for ioc in iocs]

    payload = {"data": items}
    if operation == "add":
      res = await client.post_async(f"/collections/{id}/{relationship}", json_data=payload)
    elif operation == "remove":
      res = await client.delete_async(f"/collections/{id}/{relationship}", json_data=payload)
    else:
      return f"Error: Invalid operation '{operation}'. Must be one of 'add' or 'remove'"

    status = res._aiohttp_resp.status
    return 'Sucesssfully updated collection' if status == 200 else 'Error updating collection'

gti_mcp/tools/collections.py:495-501 (schema)
Function signature defines the input schema: id (str), ctx (Context), relationship (str), iocs (List[str]), operation (str), and optional api_key (str).
```
    id: str,
    ctx: Context,
    relationship: str,
    iocs: typing.List[str],
    operation: str,
    api_key: str = None,
) -> str:
```
gti_mcp/tools/collections.py:21-22 (helper)
The `server` (FastMCP instance) and `vt_client` (async context manager for VT API client) are imported from the server module, which provides the tool registration decorator.
```
from ..server import server, vt_client
```

Tool Definition Quality

A4.2/5.0

Behavior3/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

Without annotations, the description must disclose behavioral traits. It indicates a mutation operation (add/remove) and mentions success/failure return. However, it omits details like whether removals are permanent, required permissions, or behavior when the collection does not exist. Adequate but not exhaustive.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness5/5

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is concise and well-structured using a docstring format with Args and Returns sections. Every sentence adds value without redundancy or fluff.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness4/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

Given the tool has 5 parameters and no annotations, the description provides sufficient detail for the required parameters and return value. However, it lacks discussion of error conditions, edge cases, or behavior under failure, which would make it more complete.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters4/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

With 0% schema description coverage, the description compensates by explaining each required parameter (id, relationship, iocs, operation) and giving examples for iocs. However, the optional api_key parameter is not described in the Args section, missing an opportunity to add meaning.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose5/5

Does the description clearly state what the tool does and how it differs from similar tools?

The description clearly states the tool updates (adds or removes) Indicators of Compromise (IOCs) to a collection. It specifies the verb 'Updates' and the resource 'collection', distinguishing from siblings like create_collection (creates new) or search_iocs (reads).

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines4/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

While the description implies usage for adding/removing IOCs from a collection, it does not explicitly mention when to use this tool versus alternatives such as update_collection_attributes or search_iocs. Some guidance on exclusion would improve clarity.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Other Tools

Latest Blog Posts

Lightport: Open-Sourcing Glama's AI Gateway
By punkpeye on April 27, 2026.
open source
OpenAI
Tool Definition Quality Score (TDQS)
By punkpeye on April 3, 2026.
mcp
The Hackers Who Tracked My Sleep Cycle
By punkpeye on March 26, 2026.
security

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/googleSandy/gti-mcp-standalone'

If you have feedback or need assistance with the MCP directory API, please join our Discord server