feat: add VirusTotal API integration for skill security scanning

[marcusquinn]

Summary

• Add virustotal-helper.sh (~814 lines) wrapping VirusTotal API v3 for advisory threat intelligence on imported skills
• Integrate VT scanning into security-helper.sh (new vt-scan command + advisory layer in skill-scan)
• Integrate VT advisory scanning into add-skill-helper.sh for both GitHub and ClawdHub skill imports
• Update documentation (skill-scanner.md, security-analysis.md, README.md)

What it does

VirusTotal provides a second layer of security scanning alongside the Cisco Skill Scanner:

1. File hash lookup - SHA256 of each skill file checked against VT's 70+ AV engine database
2. Domain/URL reputation - URLs extracted from skill content are checked for malicious domains
3. Rate limited - 16s between requests (free tier: 4 req/min), max 8 requests per skill scan

Design decisions

• Advisory only, non-blocking - Cisco Skill Scanner remains the security gate for imports. VT adds value but won't block imports alone (text/markdown files are rarely in VT's database)
• API key via gopass - Stored as VIRUSTOTAL_MARCUSQUINN in encrypted gopass storage
• Graceful degradation - If VT API key is not configured, VT scanning is silently skipped

Testing

• virustotal-helper.sh status - API key verified, account confirmed
• virustotal-helper.sh scan-file - File hash lookup works (text files correctly return UNKNOWN)
• virustotal-helper.sh scan-domain google.com - Domain reputation check works
• security-helper.sh vt-scan status - Delegation through security-helper works
• security-helper.sh status - VT shows as configured in tool status
• ShellCheck: zero violations on all 3 modified scripts

Files changed

File	Change
.agents/scripts/virustotal-helper.sh	NEW - VT API v3 wrapper (814 lines)
.agents/scripts/security-helper.sh	Add cmd_vt_scan(), VT advisory in cmd_skill_scan(), fix VT status check
.agents/scripts/add-skill-helper.sh	Add scan_skill_virustotal() + 2 call sites
.agents/tools/code-review/skill-scanner.md	VT integration docs, API key reference update
.agents/tools/code-review/security-analysis.md	VT scanning section, comparison table, CLI docs
README.md	VT in security tools list + skill scanning section

Summary by CodeRabbit

• New Features

  • Added VirusTotal integration for optional threat intelligence scanning of skills, files, URLs, and domains as an advisory layer. Non-blocking scans complement existing security checks.

• Documentation

  • Updated security scanning documentation with VirusTotal integration details, API key setup, and workflow guidance.

[gemini-code-assist]

Summary of Changes

Hello @marcusquinn, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the security scanning capabilities for imported skills by integrating the VirusTotal API. It introduces an advisory layer of threat intelligence, allowing the system to check file hashes and domain/URL reputations against VirusTotal's extensive database. This integration provides an additional security check without impeding the existing Cisco Skill Scanner, ensuring a more robust and comprehensive security posture for skill imports.

Highlights

• New VirusTotal Helper Script: Introduced virustotal-helper.sh (814 lines) to wrap the VirusTotal API v3, enabling file hash, URL, and domain scanning capabilities.
• Integrated VT Scanning: Added VirusTotal scanning capabilities to security-helper.sh via a new vt-scan command and an advisory layer within the skill-scan command.
• Automated Skill Import Scanning: Integrated advisory VirusTotal scanning into add-skill-helper.sh for both GitHub and ClawdHub skill import workflows.
• Comprehensive Documentation: Updated skill-scanner.md, security-analysis.md, and README.md to reflect the new VirusTotal integration, including usage, design decisions, and API key setup.

Changelog

• .agents/scripts/add-skill-helper.sh
  • Added a new function scan_skill_virustotal to perform advisory VirusTotal scans on skill files and referenced domains.
  • Integrated scan_skill_virustotal into the cmd_add function for both GitHub and ClawdHub skill import workflows.
• .agents/scripts/security-helper.sh
  • Introduced a new command cmd_vt_scan to allow standalone VirusTotal scanning of files, URLs, domains, or skills.
  • Incorporated an advisory VirusTotal scan into the cmd_skill_scan function, running after the primary Cisco Skill Scanner.
  • Updated the cmd_status function to display the configuration status of the VirusTotal API key.
• .agents/scripts/virustotal-helper.sh
  • A new script was added, providing a comprehensive wrapper for the VirusTotal API v3.
  • It includes functions for scanning files by SHA256 hash, URLs, domains, and entire skill directories.
  • Features API key resolution from gopass or environment variables, rate limiting, and detailed output parsing.
• .agents/tools/code-review/security-analysis.md
  • Updated the "Quick Reference" section to include vt-scan in the commands and VirusTotal in the integrations.
  • Added a new detailed section "VirusTotal Scanning" covering its role, usage, how it works, API key setup, and integration points.
  • Modified the "Comparison with Other Tools" table to include VirusTotal as a feature.
  • Updated example commands to include vt-scan.
  • Added references to VirusTotal and VirusTotal API v3.
  • Updated the concluding summary to mention VirusTotal threat intelligence.
• .agents/tools/code-review/skill-scanner.md
  • Updated the "VirusTotal" entry in the "Tools" table to reflect the new rate limit and API key resolution methods.
  • Added a new section "VirusTotal Integration" explaining its advisory nature, operational details, usage examples, and API key setup.
• README.md
  • Added a new paragraph in the skill scanning section explaining the advisory role of VirusTotal scanning.
  • Included VirusTotal in the list of integrated security tools.

Activity

• The author confirmed the VirusTotal API key and account status using virustotal-helper.sh status.
• File hash lookup functionality was verified by scanning a text file with virustotal-helper.sh scan-file.
• Domain reputation checks were tested successfully using virustotal-helper.sh scan-domain google.com.
• The security-helper.sh vt-scan status command was used to confirm proper delegation and status reporting.
• All three modified scripts passed ShellCheck with zero violations.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[coderabbitai]

Walkthrough

This PR introduces VirusTotal threat intelligence integration into the security scanning workflow. A new virustotal-helper.sh script provides comprehensive VirusTotal API v3 support for scanning files, URLs, domains, and skill directories. Integration points in security-helper.sh and add-skill-helper.sh incorporate optional VT scans post-security checks. All VT findings remain advisory and non-blocking.

Changes

Cohort / File(s)	Summary
Core VirusTotal Implementation .agents/scripts/virustotal-helper.sh	New 813-line Bash script implementing full VirusTotal API v3 integration with commands for scanning files, URLs, domains, and skills. Includes SHA-256 hashing, API key resolution, rate limiting, verdict parsing, and structured output (JSON/human-readable). Robust error handling and dependency checking.
Security Scanning Workflow Integration .agents/scripts/security-helper.sh	Adds cmd_vt_scan() command delegating to virustotal-helper.sh. Extends cmd_skill_scan to optionally run advisory VT scans on completed skill scans. Integrates VT status reporting into cmd_status. Routes new vt-scan|virustotal CLI command.
Skill Import Integration .agents/scripts/add-skill-helper.sh	Introduces scan_skill_virustotal() function that performs advisory VT scanning post-security checks. Integrated into both GitHub/ClawdHub add command paths and ClawdHub import path, running after Cisco security scan completes but before commit/registration.
Documentation Updates .agents/tools/code-review/security-analysis.md, .agents/tools/code-review/skill-scanner.md, README.md	Expanded security tooling documentation to include VirusTotal alongside existing Cisco/Snyk tools. Added VirusTotal Scanning section with usage examples, API key setup via gopass, and workflow details. Updated comparison matrices and tool dependencies.

Sequence Diagram(s)

sequenceDiagram
    participant User as User/CLI
    participant ASH as add-skill-helper.sh
    participant SH as security-helper.sh
    participant CScan as Cisco Security<br/>Scanner
    participant VTHelper as virustotal-helper.sh
    participant VTAPI as VirusTotal API v3

    User->>ASH: add skill command
    ASH->>SH: invoke security scan
    SH->>CScan: run blocking<br/>security check
    CScan-->>SH: scan results
    alt Cisco clears skill
        SH->>VTHelper: scan_skill_virustotal<br/>(advisory)
        VTHelper->>VTHelper: compute file hashes<br/>extract domains/URLs
        VTHelper->>VTAPI: query file hashes<br/>domain reputation
        VTAPI-->>VTHelper: threat intelligence
        VTHelper->>VTHelper: aggregate results<br/>parse verdicts
        VTHelper-->>SH: advisory findings<br/>(non-blocking)
        SH-->>ASH: advisory status only
    else Cisco blocks
        SH-->>ASH: failed (blocks skill)
    end
    alt VT findings present
        ASH->>ASH: log advisory warnings
    end
    ASH->>User: proceed with registration<br/>(or halt if Cisco blocked)

Loading

Estimated Code Review Effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly Related PRs

• feat: add aidevops skill CLI command with telemetry disabled #154: Modifies add-skill-helper.sh cmd_add/target path and conflict handling; this PR integrates VT scanning into the same workflow, requiring coordination.
• feat: add ClawdHub skill registry as import source #183: Introduces ClawdHub import flow; this PR extends that flow with post-import VT scanning integration.

Poem

🔍 VirusTotal's watchful eye now scans each skill,
Advisory whispers float without blocking will,
Files, URLs, domains—all tracked with care,
Security layers dance through DevOps air,
Cisco stands firm, while VT shares what's fair. ✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 55.56% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title accurately and specifically describes the main change: adding VirusTotal API integration for skill security scanning.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feature/virustotal-skill-scanning

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

🔍 Code Quality Report

�[0;35m[MONITOR]�[0m Code Review Monitoring Report

�[0;34m[INFO]�[0m Latest Quality Status:
SonarCloud: 0 bugs, 0 vulnerabilities, 25 code smells

�[0;34m[INFO]�[0m Recent monitoring activity:
Sat Feb 7 01:17:55 UTC 2026: Code review monitoring started
Sat Feb 7 01:17:55 UTC 2026: SonarCloud - Bugs: 0, Vulnerabilities: 0, Code Smells: 25
Sat Feb 7 01:17:55 UTC 2026: Qlty - 0 issues found, auto-formatting applied
Sat Feb 7 01:17:57 UTC 2026: Codacy analysis completed with auto-fixes

📈 Current Quality Metrics

• BUGS: 0
• CODE SMELLS: 25
• VULNERABILITIES: 0

Generated on: Sat Feb 7 01:18:00 UTC 2026

---

Generated by AI DevOps Framework Code Review Monitoring

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[gemini-code-assist]

Code Review

This pull request introduces a valuable security enhancement by integrating VirusTotal for advisory scanning of skills. The implementation is comprehensive, including a new helper script, integration into existing security workflows, and updated documentation. My review focuses on improving the robustness and correctness of the new virustotal-helper.sh script, particularly around error handling, logging, and script efficiency. I've also noted a minor documentation inconsistency in add-skill-helper.sh. Overall, this is a solid addition to the project's security capabilities.

[coderabbitai]

Actionable comments posted: 4

🤖 Fix all issues with AI agents

In @.agents/scripts/add-skill-helper.sh:
- Around line 611-616: The log points users to "virustotal-helper.sh" without a
path; update the warning/info messages around the "$vt_helper" call (the block
using vt_helper scan-skill and the log_info/log_warning functions) to print the
explicit path to the helper binary/script (use the value of the vt_helper
variable or resolve it via which/command -v) so the guidance works even when the
script is not in PATH; keep messages advisory (no exit change) but include the
resolved path in both the log_warning and the follow-up log_info.

In @.agents/scripts/security-helper.sh:
- Around line 583-600: The VT scan currently always calls "$vt_helper"
scan-skill on the directory (scan_dir), which causes full-directory scans for
single-file skills; change the logic to detect file-based skills by checking
full_path and the filename pattern (e.g., basename matching "*-skill.md" or
simply that full_path is a regular file representing the skill) and call
"$vt_helper" scan-file "$full_path" for those, otherwise keep using "$vt_helper"
scan-skill "$scan_dir"; preserve the existing --quiet, stderr suppression, the
vt_issues increment and the echo "VT flagged issues" message/error handling
around the command so behavior and logging remain consistent.

In @.agents/scripts/virustotal-helper.sh:
- Around line 490-635: The script currently only increments request_count on
successful vt_request calls (in both file-hash phase and domain phase), which
allows failed lookups to bypass your max_requests cap; update the logic around
vt_request (the GET calls in the file-hash loop and the domain loop where
vt_request is invoked) to count every request attempt regardless of success by
incrementing request_count immediately after invoking vt_request (or in the
failure branches) and before any continue/skip, and ensure rate_limit_wait is
still called consistently between attempts (i.e., keep calling rate_limit_wait
when request_count < max_requests).
- Around line 138-266: Ensure jq is present and make vt_request capture and
return HTTP status codes and JSON validation: inside vt_request check command -v
jq and fail early if missing; call curl with -w "%{http_code}" to capture
body+status, split them, validate body is JSON with jq -e . before any jq
parsing, and treat non-200 statuses as errors (but return status 404 separately
so caller can treat "not found" differently). Update cmd_scan_file to call
vt_request and inspect the returned status code (or special return format) so
only a 404 leads to the "file not in VT database" path while other HTTP errors
(401, 429, 5xx) and JSON/parse errors are logged/returned as failures; keep
existing helpers like file_sha256 and parse_verdict unchanged but ensure callers
only invoke jq on validated JSON.