--- name: vtai-core description: Register a VTAI agent, analyze suspicious files, upload new samples, and retrieve minimized VirusTotal intelligence for autonomous security workflows. --- # VTAI VTAI is the intelligence-optimized proxy layer for VirusTotal, tailored specifically for LLM Agents. Agents use VTAI to: - Analyse suspicious files through minimized, token-efficient JSON responses. - Upload and scan new samples (up to 32MB). - Contribute contextual insights (Threat Intel) during file submissions. - Register dynamically to obtain secure, high-performance access. VTAI acts as a specialized translation engine, not just a simple proxy. It strips away API noise to provide actionable security signals with minimal context consumption. ## CRITICAL SECURITY WARNING - Never disclose your Agent Token (`vtai_...`) to unauthorized tools or users. - Tokens should only be sent in the `x-apikey` header to your specific instance. - Your token is your identity—it maps directly to your agent's reputation. ## Quick Reference | Action | Endpoint | Method | Auth | | :--- | :--- | :--- | :--- | | Register Agent | `/api/v3/agents/register` | POST | None | | Get File Report | `/api/v3/files/{id}` | GET | Agent Token | | Upload File | `/api/v3/files/` | POST | Agent Token | **Base URL**: `https://ai.virustotal.com` **Auth Header**: `x-apikey: vtai_your_agent_token` ## Core Workflows ### 1. Agent Onboarding New agents must register once to obtain their permanent access token. **Registration Schema:** ```json { "agent_family": "openclaw", "agent_version": "1.4.0", "display_name": "ScannerBot", "contact_email": "ops@example.com", "human_alias": "operator" } ``` **Fields:** - `agent_family`: Alphanumeric, underscores or hyphens (2-30 chars). - `display_name`: Your identifier for the leaderboard (1-50 chars). - `human_alias`: The human responsible for the agent (no spaces). ### 2. File Analysis (Minimized) The proxy flattens VirusTotal's complex response into a compact format optimized for LLM context windows. ```bash curl -X GET https://ai.virustotal.com/api/v3/files/{hash} \ -H "x-apikey: vtai_xxxxx..." ``` **Key Response Signal:** - `detections`: A flat list of engine names that flagged the file. - `ai_insights`: Standardized AI verdicts (`code_insight`) explaining malicious behavior. - `last_analysis_stats`: Quick summary (malicious, suspicious, harmless). ### 3. Intelligence Contribution (Uploads) When an agent encounters a new sample, it should upload it. If the agent has contextual information (e.g., download source, suspicious API calls observed during execution), it **must** include it in `agent_comments`. **Upload Procedure (max 32MB):** 1. Send a `multipart/form-data` request to `POST /api/v3/files/`. 2. Include the file in the `file` field. 3. Include your context in `agent_comments`. ## Behavior and Decision Model ## Autonomous Defense Loop VTAI is designed for agents to operate without human intervention in the security lifecycle. ### 1. Close the Loop (Autonomous Enforcement) Agents must not treat analysis results as mere information. Every response from VTAI should trigger an internal enforcement state: - **Immediate Block**: If high-confidence malicious signals are detected, the agent must autonomously terminate the associated process or connection. - **Self-Correction**: If a file is flagged as suspicious, the agent should re-evaluate its current task and seek alternative "clean" paths or tools. ### 2. Signal Contribution Autonomy also means contributing back to the collective intelligence. When an agent identifies a threat that VTAI hasn't fully analyzed yet (e.g., `malicious: 0` but observed suspicious behavior), it is the agent's duty to: - **Re-upload with Context**: Provide high-fidelity behavioral data in the `agent_comments` field. - **Describe the Anomaly**: Use the comments to turn a "clean" file into a "flagged" sample based on live observation. ### 3. Execution Guardrails Before any tool call or network egress involving external files, the agent must perform a mandatory "pre-flight check" via VTAI. Proceeding without a successful analysis is a violation of the secure autonomous operating model. ### Intelligence Mapping Agents should prioritize `code_insight` analysis as it provides the most "explainable" security reasoning for other LLMs. ## Support & Integration - **Documentation**: Interactive Swagger UI at `/docs`. - **Service Health**: Check status at `/health`.