Skip to main content
Glama
joesecurity

JoeSandboxMCP

Official
by joesecurity
OverviewSchemaRelated ServersScoreDiscussions
Python
Remote

get_analysis_info

Retrieve analysis status, detection results, and metadata for submitted samples using their submission ID. Check completion status, view threat scores, and access detailed classification information.

Instructions

Retrieve metadata and status for a previously submitted analysis by its submission ID.

Use this tool to check whether an analysis is finished, whether the sample was classified as malicious,
and to retrieve contextual metadata such as score, system, and tags.

Args:
    webid (required): The submission ID (also called webid) returned when the sample was uploaded.

Returns:
    If successful, returns a dictionary with fields such as:

    - status (e.g. "finished", "in progress"): Global analysis state.
    - detection (e.g. "malicious", "clean"): Overall result summary.
    - score (integer, e.g. 0-100): The final aggregated threat score.
    - filename: The original filename or download URL of the submitted sample.
    - tags: A list of classification or behavioral tags.
    - scriptname: The Joe Sandbox script used to run the analysis.
    - has_malwareconfig: True if malware configuration extraction succeeded.
    - md5, sha1, sha256: Hashes of the submitted sample.
    - time: The ISO8601 timestamp when the analysis was submitted.
    - duration: Total time (in seconds) the analysis took.
    - classification: Internal or customer-specific label (if set).
    - comments: Analyst comments or notes.
    - encrypted: Whether the submitted file was password-protected.
    - threatname: Identified malware families or on behavioral or signature matches.

    - runs: A list of dictionaries describing individual analysis runs on different systems.
        Each run contains:
        - system: The sandbox environment used (e.g., "w7x64l", "w10x64", "lnxubuntu20").
        - score: Detection score for that system.
        - detection: Result for that specific system (e.g., "malicious", "clean").
        - yara, sigma, suricata: Boolean flags indicating whether detection engines matched.
        - error: Any error that occurred during that specific run.

    Notes:
        - The `runs` array is useful when the same sample is executed on multiple OS environments.
        - The top-level `score` and `detection` reflect the most severe result across all runs.

    If the submission ID is invalid or expired, returns an error object with a reason.

Input Schema

TableJSON Schema
NameRequiredDescriptionDefault
webidYes

Implementation Reference

  • jbxmcp/tools.py:202-253 (handler)
    The primary handler function for the 'get_analysis_info' tool. It is decorated with @mcp.tool() which registers it as an MCP tool. The function calls the helper query_analysis_info from core.py to fetch the data from Joe Sandbox API and handles any exceptions.
    @mcp.tool()
async def get_analysis_info(webid: str) -> Dict[str, Any]:
    """
    Retrieve metadata and status for a previously submitted analysis by its submission ID.

    Use this tool to check whether an analysis is finished, whether the sample was classified as malicious,
    and to retrieve contextual metadata such as score, system, and tags.

    Args:
        webid (required): The submission ID (also called webid) returned when the sample was uploaded.

    Returns:
        If successful, returns a dictionary with fields such as:

        - status (e.g. "finished", "in progress"): Global analysis state.
        - detection (e.g. "malicious", "clean"): Overall result summary.
        - score (integer, e.g. 0-100): The final aggregated threat score.
        - filename: The original filename or download URL of the submitted sample.
        - tags: A list of classification or behavioral tags.
        - scriptname: The Joe Sandbox script used to run the analysis.
        - has_malwareconfig: True if malware configuration extraction succeeded.
        - md5, sha1, sha256: Hashes of the submitted sample.
        - time: The ISO8601 timestamp when the analysis was submitted.
        - duration: Total time (in seconds) the analysis took.
        - classification: Internal or customer-specific label (if set).
        - comments: Analyst comments or notes.
        - encrypted: Whether the submitted file was password-protected.
        - threatname: Identified malware families or on behavioral or signature matches.

        - runs: A list of dictionaries describing individual analysis runs on different systems.
            Each run contains:
            - system: The sandbox environment used (e.g., "w7x64l", "w10x64", "lnxubuntu20").
            - score: Detection score for that system.
            - detection: Result for that specific system (e.g., "malicious", "clean").
            - yara, sigma, suricata: Boolean flags indicating whether detection engines matched.
            - error: Any error that occurred during that specific run.

        Notes:
            - The `runs` array is useful when the same sample is executed on multiple OS environments.
            - The top-level `score` and `detection` reflect the most severe result across all runs.

        If the submission ID is invalid or expired, returns an error object with a reason.
    """
    try:
        result = await query_analysis_info(webid)
        return result
    except Exception as e:
        return {
            "error": f"Could not retrieve analysis info for submission ID '{webid}'. "
                     f"Reason: {str(e)}"
        }
  • jbxmcp/core.py:247-263 (helper)
    Supporting utility function in core.py that performs the actual synchronous API call to Joe Sandbox using the client.analysis_info method, wrapped in asyncio.to_thread for async compatibility.
    async def query_analysis_info(webid: str) -> Dict[str, Any]:
    """
    Query information about an analysis.
    
    Args:
        webid: The webid of the analysis to query.
        
    Returns:
        A dictionary containing information about the analysis.
    """
    client = get_client()
    
    def blocking_query():
        return client.analysis_info(webid=webid)
    
    return await asyncio.to_thread(blocking_query)
  • jbxmcp/tools.py:202-253 (registration)
    The @mcp.tool() decorator registers the function as an MCP tool, making it available via the FastMCP server in server.py.
    @mcp.tool()
async def get_analysis_info(webid: str) -> Dict[str, Any]:
    """
    Retrieve metadata and status for a previously submitted analysis by its submission ID.

    Use this tool to check whether an analysis is finished, whether the sample was classified as malicious,
    and to retrieve contextual metadata such as score, system, and tags.

    Args:
        webid (required): The submission ID (also called webid) returned when the sample was uploaded.

    Returns:
        If successful, returns a dictionary with fields such as:

        - status (e.g. "finished", "in progress"): Global analysis state.
        - detection (e.g. "malicious", "clean"): Overall result summary.
        - score (integer, e.g. 0-100): The final aggregated threat score.
        - filename: The original filename or download URL of the submitted sample.
        - tags: A list of classification or behavioral tags.
        - scriptname: The Joe Sandbox script used to run the analysis.
        - has_malwareconfig: True if malware configuration extraction succeeded.
        - md5, sha1, sha256: Hashes of the submitted sample.
        - time: The ISO8601 timestamp when the analysis was submitted.
        - duration: Total time (in seconds) the analysis took.
        - classification: Internal or customer-specific label (if set).
        - comments: Analyst comments or notes.
        - encrypted: Whether the submitted file was password-protected.
        - threatname: Identified malware families or on behavioral or signature matches.

        - runs: A list of dictionaries describing individual analysis runs on different systems.
            Each run contains:
            - system: The sandbox environment used (e.g., "w7x64l", "w10x64", "lnxubuntu20").
            - score: Detection score for that system.
            - detection: Result for that specific system (e.g., "malicious", "clean").
            - yara, sigma, suricata: Boolean flags indicating whether detection engines matched.
            - error: Any error that occurred during that specific run.

        Notes:
            - The `runs` array is useful when the same sample is executed on multiple OS environments.
            - The top-level `score` and `detection` reflect the most severe result across all runs.

        If the submission ID is invalid or expired, returns an error object with a reason.
    """
    try:
        result = await query_analysis_info(webid)
        return result
    except Exception as e:
        return {
            "error": f"Could not retrieve analysis info for submission ID '{webid}'. "
                     f"Reason: {str(e)}"
        }

Tool Definition Quality

A4.5/5.0
Behavior4/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

With no annotations provided, the description carries the full burden of behavioral disclosure. It effectively describes key behaviors: it's a read-only retrieval operation (implied by 'Retrieve'), handles invalid/expired IDs with error returns, and explains the structure and utility of the 'runs' array. It lacks details on rate limits or authentication needs, but covers the core operational behavior well.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness4/5

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is well-structured with a clear purpose statement, usage guidance, parameter explanation, and detailed return value documentation. It is appropriately sized for the tool's complexity, though the extensive list of return fields could be slightly condensed without losing clarity. Every sentence adds value.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness5/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

Given the tool's moderate complexity (single parameter, no output schema, no annotations), the description is highly complete. It covers purpose, usage, parameter meaning, return structure with examples, and edge cases (invalid IDs). For a retrieval tool, this provides all necessary context for an agent to use it correctly.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters5/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

The input schema has 0% description coverage, so the description must fully compensate. It clearly explains the single parameter 'webid' as 'The submission ID (also called webid) returned when the sample was uploaded,' adding essential context beyond the schema's basic type definition. This is comprehensive for the one parameter.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose5/5

Does the description clearly state what the tool does and how it differs from similar tools?

The description clearly states the specific action ('Retrieve metadata and status') and resource ('previously submitted analysis by its submission ID'), distinguishing it from siblings like 'submit_analysis_job' (which creates analyses) and 'get_list_of_recent_analyses' (which lists multiple analyses). The purpose is precise and unambiguous.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines4/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

The description explicitly states when to use this tool ('Use this tool to check whether an analysis is finished...'), providing clear context for its application. However, it does not mention when not to use it or name specific alternatives among the sibling tools (e.g., 'search_analysis' might overlap in some scenarios), which prevents a perfect score.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Other Tools

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/joesecurity/joesandboxMCP'

If you have feedback or need assistance with the MCP directory API, please join our Discord server