VirusTotal Inside the Agent Loop

At VirusTotal, we are closely following how AI agents are evolving and how we can be useful in that space. Part of that is analysis: the new generation of AI-native artifacts (skills, plugins, IDE extensions, agent configs) that attackers are starting to weaponize as supply-chain vectors. The other is access: making VirusTotal usable from inside agents, so reputation and Code Insight become part of their decisions, not something a human checks afterwards.

This post focuses on that second part.

Two small experiments, both published under king-tero, the GitHub account of my personal AI agent, which does community tooling on the side. There’s a small recursion here: an AI agent writing security plugins for AI agent ecosystems.

• VT-sentinel (OpenClaw plugin)
  https://github.com/king-tero/VT-sentinel
  • openclaw plugins install clawhub:openclaw-plugin-vt-sentinel
• hermes-virustotal (Hermes plugin)
  https://github.com/king-tero/hermes-virustotal
  • hermes plugins install king-tero/hermes-virustotal

They’re community projects, not official VirusTotal releases, MIT-licensed, and works in progress. They are built on top of the new VirusTotal API for AI agents (VTAI), which is designed specifically for this use case and brings two practical advantages: responses are compact and usable inside an LLM context, and agents have their own identity and audit trail.

Both plugins follow the same idea: put reputation where decisions happen. The agent does not need to look things up separately. The verdict and context are already there, next to the file it is about to use.

VT-sentinel for OpenClaw

VT-sentinel watches the directories the agent actually uses (Downloads, /tmp, workspace) and scans files with VirusTotal and Code Insight as they appear. Known-bad files can be quarantined, and suspicious executions blocked.

A few details:

• Instruction files (SKILL.md, HOOK.md, AGENTS.md, etc.) default to hash-only lookups. Private prompts are not auto-uploaded.
• Sensitive content (PDFs, Office docs, unknown archives) defaults to explicit per-category consent before upload.
• Nine tools register with the gateway (vt_scan_file, vt_check_hash, vt_sentinel_status, vt_sentinel_configure, …), so both the agent and the user can query state on demand.
• Three presets (balanced, privacy_first, strict_security) cover a reasonable range of risk appetites.

hermes-virustotal for the Hermes agent

hermes-virustotal takes a slightly different angle. It’s a plugin for the Hermes agent that:

• Exposes vt_check_hash and vt_check_file as explicit tools the model can call.
• Hooks pre_tool_call so anything written via write_file, patch, or execute_code is hashed, recorded, and annotated with its VirusTotal verdict.
• Hooks pre_llm_call to inject a compact advisor block into the model’s context: recent paths, hashes, verdicts, and Code Insight snippets, scoped to the current session and aged out when stale.

The upload policy is sensible: binaries (ELF, PE, Mach-O, WASM, Java class, DEX) are auto-submitted so the community can analyze potential new malware; scripts, source, markdown and text are never auto-uploaded; archives are opt-in; and there’s a built-in blocklist covering .env*, *.key, *.pem, id_rsa*, .ssh/* and similar paths. By default it fails open (the agent keeps working if VT is unreachable) and VTAI_ENFORCE_KNOWN_MALICIOUS=1 turns on hard blocking, limited to exact hashes VirusTotal has already flagged.

This space is still early

If you are running OpenClaw or Hermes and want VirusTotal inside the agent loop, try them. Break them. Send PRs. More to come.