VirusTotal Python API Docs | dltHub

VirusTotal API allows scanning files, URLs, domains, and IPs for malicious content; sign up for a free account to access basic features; advanced features require a private API key. The REST API base URL is https://www.virustotal.com/api/v3 and All requests require an API key sent in the x-apikey header..

dlt is an open-source Python library that handles authentication, pagination, and schema evolution automatically. dlthub provides AI context files that enable code assistants to generate production-ready pipelines. Install with uv pip install "dlt[workspace]" and start loading VirusTotal data in under 10 minutes.

---

What data can I load from VirusTotal?

Here are some of the endpoints you can load from VirusTotal:

---

How do I authenticate with the VirusTotal API?

VirusTotal API v3 uses an API key placed in the request header named "x-apikey". Include also 'accept: application/json' for JSON responses. Do not send the key as a URL parameter.

1. Get your credentials

1. Create or sign in to a VirusTotal account at https://www.virustotal.com/gui/join-us.
2. Go to your user profile / API key section (Account settings / API key).
3. Copy the provided API key.
4. For private/enterprise features request access or upgrade per VirusTotal instructions.

2. Add them to .dlt/secrets.toml

Copy
[sources.virustotal_source]
api_key = "your_virustotal_api_key_here"

dlt reads this automatically at runtime — never hardcode tokens in your pipeline script. For production environments, see setting up credentials with dlt for environment variable and vault-based options.

---

How do I set up and run the pipeline?

Set up a virtual environment and install dlt:

Copy
uv venv && source .venv/bin/activate
uv pip install "dlt[workspace]"

1. Install the dlt AI Workbench:

Copy
dlt ai init --agent <your-agent> # <agent>: claude | cursor | codex

This installs project rules, a secrets management skill, appropriate ignore files, and configures the dlt MCP server for your agent. Learn more →

2. Install the rest-api-pipeline toolkit:

Copy
dlt ai toolkit rest-api-pipeline install

This loads the skills and context about dlt the agent uses to build the pipeline iteratively, efficiently, and safely. The agent uses MCP tools to inspect credentials — it never needs to read your secrets.toml directly. Learn more →

3. Start LLM-assisted coding:

Use /find-source to load data from the VirusTotal API into DuckDB.

The rest-api-pipeline toolkit takes over from here — it reads relevant API documentation, presents you with options for which endpoints to load, and follows a structured workflow to scaffold, debug, and validate the pipeline step by step.

4. Run the pipeline:

Copy
python virustotal_pipeline.py

If everything is configured correctly, you'll see output like this:

Copy
Pipeline virustotal_pipeline load step completed in 0.26 seconds
1 load package(s) were loaded to destination duckdb and into dataset virustotal_data
The duckdb destination used duckdb:/virustotal.duckdb location to store data
Load package 1749667187.541553 is LOADED and contains no failed jobs

Inspect your pipeline and data:

Copy
dlt pipeline virustotal_pipeline show

This opens the Pipeline Dashboard where you can verify pipeline state, load metrics, schema (tables, columns, types), and query the loaded data directly.

---

Python pipeline example

This example loads files and file from the VirusTotal API into DuckDB. It mirrors the endpoint and data selector configuration from the table above:

Copy
import dlt
from dlt.sources.rest_api import RESTAPIConfig, rest_api_resources

@dlt.source
def virustotal_source(api_key=dlt.secrets.value):
    config: RESTAPIConfig = {
        "client": {
            "base_url": "https://www.virustotal.com/api/v3",
            "auth": {
                "type": "api_key",
                "api_key": api_key,
            },
        },
        "resources": [
            {"name": "files", "endpoint": {"path": "files", "data_selector": "data"}},
            {"name": "file", "endpoint": {"path": "files/{id}", "data_selector": "data"}}
        ],
    }
    yield from rest_api_resources(config)


def get_data() -> None:
    pipeline = dlt.pipeline(
        pipeline_name="virustotal_pipeline",
        destination="duckdb",
        dataset_name="virustotal_data",
    )
    load_info = pipeline.run(virustotal_source())
    print(load_info)

To add more endpoints, append entries from the resource table to the "resources" list using the same name, path, and data_selector pattern.

---

How do I query the loaded data?

Once the pipeline runs, dlt creates one table per resource. You can query with Python or SQL.

Python (pandas DataFrame):

Copy
import dlt

data = dlt.pipeline("virustotal_pipeline").dataset()
sessions_df = data.files.df()
print(sessions_df.head())

SQL (DuckDB example):

Copy
SELECT * FROM virustotal_data.files LIMIT 10;

In a marimo or Jupyter notebook:

Copy
import dlt

data = dlt.pipeline("virustotal_pipeline").dataset()
data.files.df().head()

See how to explore your data in marimo Notebooks and how to query your data in Python with dataset.

---

What destinations can I load VirusTotal data to?

dlt supports loading into any of these destinations — only the destination parameter changes:

Change the destination in dlt.pipeline(destination="snowflake") and add credentials in .dlt/secrets.toml. See the full destinations list.

---

Next steps

Continue your data engineering journey with the other toolkits of the dltHub AI Workbench:

• data-exploration — Build custom notebooks, charts, and dashboards for deeper analysis with marimo notebooks.
• dlthub-runtime — Deploy, schedule, and monitor your pipeline in production.

Copy
dlt ai toolkit data-exploration install
dlt ai toolkit dlthub-runtime install

• How to deploy a pipeline
• How to explore your data in marimo Notebooks
• How to query your data in Python with dataset
• Join the dlt community on Slack