Do I always need to call RUBE_SEARCH_TOOLS first?

Yes. Tool schemas change, so always fetch current slugs and argument schemas before executing any tool.

How can I tell if my Virustotal connection is ready?

Check via RUBE_MANAGE_CONNECTIONS for the toolkit virustotal and ensure the status is ACTIVE before executing tools.

Can I hardcode tool slugs or arguments?

No. Slugs and arguments must come from the current search results; use schema-compliant fields and include memory in calls.

virustotal-automation

Scanned

npx machina-cli add skill ComposioHQ/awesome-claude-skills/virustotal-automation --openclaw

Files (1)

SKILL.md

2.9 KB

Virustotal Automation via Rube MCP

Automate Virustotal operations through Composio's Virustotal toolkit via Rube MCP.

Toolkit docs: composio.dev/toolkits/virustotal

Prerequisites

Rube MCP must be connected (RUBE_SEARCH_TOOLS available)
Active Virustotal connection via RUBE_MANAGE_CONNECTIONS with toolkit virustotal
Always call RUBE_SEARCH_TOOLS first to get current tool schemas

Setup

Get Rube MCP: Add https://rube.app/mcp as an MCP server in your client configuration. No API keys needed — just add the endpoint and it works.

Verify Rube MCP is available by confirming RUBE_SEARCH_TOOLS responds
Call RUBE_MANAGE_CONNECTIONS with toolkit virustotal
If connection is not ACTIVE, follow the returned auth link to complete setup
Confirm connection status shows ACTIVE before running any workflows

Tool Discovery

Always discover available tools before executing workflows:

RUBE_SEARCH_TOOLS
queries: [{use_case: "Virustotal operations", known_fields: ""}]
session: {generate_id: true}

This returns available tool slugs, input schemas, recommended execution plans, and known pitfalls.

Core Workflow Pattern

Step 1: Discover Available Tools

RUBE_SEARCH_TOOLS
queries: [{use_case: "your specific Virustotal task"}]
session: {id: "existing_session_id"}

Step 2: Check Connection

RUBE_MANAGE_CONNECTIONS
toolkits: ["virustotal"]
session_id: "your_session_id"

Step 3: Execute Tools

RUBE_MULTI_EXECUTE_TOOL
tools: [{
  tool_slug: "TOOL_SLUG_FROM_SEARCH",
  arguments: {/* schema-compliant args from search results */}
}]
memory: {}
session_id: "your_session_id"

Known Pitfalls

Always search first: Tool schemas change. Never hardcode tool slugs or arguments without calling RUBE_SEARCH_TOOLS
Check connection: Verify RUBE_MANAGE_CONNECTIONS shows ACTIVE status before executing tools
Schema compliance: Use exact field names and types from the search results
Memory parameter: Always include memory in RUBE_MULTI_EXECUTE_TOOL calls, even if empty ({})
Session reuse: Reuse session IDs within a workflow. Generate new ones for new workflows
Pagination: Check responses for pagination tokens and continue fetching until complete

Quick Reference

Operation	Approach
Find tools	`RUBE_SEARCH_TOOLS` with Virustotal-specific use case
Connect	`RUBE_MANAGE_CONNECTIONS` with toolkit `virustotal`
Execute	`RUBE_MULTI_EXECUTE_TOOL` with discovered tool slugs
Bulk ops	`RUBE_REMOTE_WORKBENCH` with `run_composio_tool()`
Full schema	`RUBE_GET_TOOL_SCHEMAS` for tools with `schemaRef`

Powered by Composio

Source

git clone https://github.com/ComposioHQ/awesome-claude-skills/blob/master/composio-skills/virustotal-automation/SKILL.mdView on GitHub

Overview

Automates Virustotal operations using Composio's Virustotal toolkit through Rube MCP. It emphasizes discovering current tool schemas first and validating an ACTIVE Virustotal connection before execution, to keep workflows resilient to schema changes.

How This Skill Works

The workflow starts by discovering available Virustotal tools with RUBE_SEARCH_TOOLS to fetch up-to-date tool slugs and input schemas. It then checks the connection status via RUBE_MANAGE_CONNECTIONS and activates it if needed. Finally, it executes the chosen tool with RUBE_MULTI_EXECUTE_TOOL, supplying the discovered arguments and a memory object, ensuring the tool schema remains current by always re-querying first.

When to Use It

Automating a recurring Virustotal hash or URL analysis within a larger workflow
Batch-processing threat indicators retrieved from another system and analyzing them in Virustotal
Verifying an ACTIVE Virustotal connection before running any Virustotal workflows
Integrating Virustotal checks into incident response or threat intel pipelines
When tool schemas may change; always call RUBE_SEARCH_TOOLS before execution

Quick Start

Step 1: Verify RUBE_SEARCH_TOOLS responds and Virustotal tools are discoverable
Step 2: Establish an ACTIVE Virustotal connection with RUBE_MANAGE_CONNECTIONS
Step 3: Execute a discovered tool with RUBE_MULTI_EXECUTE_TOOL using the memory object and session_id

Best Practices

Always fetch current tool schemas with RUBE_SEARCH_TOOLS before any run
Confirm the Virustotal connection is ACTIVE via RUBE_MANAGE_CONNECTIONS prior to execution
Use exact field names and types from the search results; do not hardcode slugs or args
Always include memory in RUBE_MULTI_EXECUTE_TOOL calls, even if empty ({})
Reuse session IDs within a workflow and generate new IDs for new workflows

Example Use Cases

Nightly hash list is scanned against Virustotal and results are reported automatically
Batch of threat intel URLs is analyzed in Virustotal when pulled from a feed
Malware sample hash undergoes a multi-step Virustotal investigation within a Composio workflow
Incident response playbook validates artifacts with Virustotal as part of containment actions
As tool schemas update, the workflow auto-discovers new slugs and re-runs with current schemas

Frequently Asked Questions

Add this skill to your agents