Get started
Tools / Security Scanner
Security Scanner icon

Security Scanner

Scan URLs, IPs, domains and files for threats

Check URLs, domains, IPs, and file hashes against 70+ AV engines, URLhaus, AbuseIPDB, and ThreatFox. Probe targets for security headers and TLS. Scan for vulnerabilities. Generate risk-scored security reports.

7 skillsv0.04
Check URL

Check if a URL is malicious, phishing, or suspicious by scanning it against 70+ security engines. Returns a verdict, detection count, and category classifications.

Returns: Threat verdict, detection stats from 70+ engines, reputation score, and URL categories
Parameters
url *stringFull URL to check (e.g. https://example.com/page)
Example
Check if a URL is safe to visit
curl -H "Authorization: Bearer $TOOLROUTER_API_KEY" \
  -d '{
  "tool": "security-scanner",
  "skill": "check_url",
  "input": {
    "url": "https://example.com"
  }
}' \
  https://api.toolrouter.com/v1/tools/call
Check Domain

Get the threat reputation of a domain including detection stats from 70+ engines, DNS records, WHOIS data, registrar info, and popularity rankings.

Returns: Domain threat verdict, DNS records, WHOIS info, registrar, and popularity rankings
Parameters
domain *stringDomain name to check (e.g. example.com)
Example
Check domain reputation for example.com
curl -H "Authorization: Bearer $TOOLROUTER_API_KEY" \
  -d '{
  "tool": "security-scanner",
  "skill": "check_domain",
  "input": {
    "domain": "example.com"
  }
}' \
  https://api.toolrouter.com/v1/tools/call
Check IP Address

Look up an IP address for threat intelligence including detection stats from 70+ engines, geolocation, ASN ownership, and network details.

Returns: IP threat verdict, geolocation, ASN ownership, network range, and detection stats
Parameters
ip *stringIPv4 or IPv6 address to check (e.g. 8.8.8.8)
Example
Check if an IP address is associated with threats
curl -H "Authorization: Bearer $TOOLROUTER_API_KEY" \
  -d '{
  "tool": "security-scanner",
  "skill": "check_ip",
  "input": {
    "ip": "8.8.8.8"
  }
}' \
  https://api.toolrouter.com/v1/tools/call
Check File Hash

Look up a file hash (MD5, SHA-1, or SHA-256) to check if the file is known malware. Returns detection stats from 70+ antivirus engines, sandbox verdicts, and file metadata.

Returns: File threat verdict, AV detection stats, sandbox analysis, and file metadata
Parameters
hash *stringFile hash — MD5 (32 chars), SHA-1 (40 chars), or SHA-256 (64 chars)
Example
Check if a file hash is known malware
curl -H "Authorization: Bearer $TOOLROUTER_API_KEY" \
  -d '{
  "tool": "security-scanner",
  "skill": "check_hash",
  "input": {
    "hash": "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f"
  }
}' \
  https://api.toolrouter.com/v1/tools/call
Scan Targets

Scan web targets for security vulnerabilities by severity. Checks transport security, headers, and common exposure paths like .env and .git.

Returns: Severity-filtered security findings with scanner mode and per-severity counts
Parameters
targets *arrayList of URLs or hostnames to scan
severitystringMinimum severity threshold to include in output
use_binarybooleanAttempt to use nuclei binary when available in PATH
active_checksbooleanEnable additional active path checks (e.g. /.env, /.git/HEAD) in builtin mode
max_targetsnumberMaximum number of targets to scan from the list (1-100)
timeout_msnumberTimeout per target request in milliseconds (3000-120000)
Example
Run a vulnerability scan on example.com
curl -H "Authorization: Bearer $TOOLROUTER_API_KEY" \
  -d '{
  "tool": "security-scanner",
  "skill": "scan_targets",
  "input": {
    "targets": [
      "example.com"
    ],
    "severity": "medium"
  }
}' \
  https://api.toolrouter.com/v1/tools/call
Probe Hosts

Probe multiple web targets for HTTP status, response times, TLS certificates, security headers, and technology signals. Scan up to 100 hosts concurrently.

Returns: Per-target probe intelligence including status, TLS posture, security headers, and reachability
Parameters
targets *arrayList of hostnames or URLs to probe
max_targetsnumberMaximum targets to probe (1-100)
timeout_msnumberPer-target timeout in milliseconds (2000-60000)
concurrencynumberConcurrent probe workers (1-20)
follow_redirectsbooleanFollow HTTP redirects
include_body_previewbooleanInclude first 500 chars of body text
Example
Probe websites for security posture
curl -H "Authorization: Bearer $TOOLROUTER_API_KEY" \
  -d '{
  "tool": "security-scanner",
  "skill": "probe_hosts",
  "input": {
    "targets": [
      "example.com",
      "https://openai.com"
    ]
  }
}' \
  https://api.toolrouter.com/v1/tools/call
Security Report

Comprehensive one-shot security audit. Runs domain reputation, URL check, host probing, and vulnerability scan in parallel. Returns a unified risk score (0-100) with risk factors.

Returns: Unified security report with risk score, risk factors, and full intelligence from 5+ sources
Parameters
target *stringDomain or URL to audit (e.g. example.com)
Example
Run a full security audit on a domain
curl -H "Authorization: Bearer $TOOLROUTER_API_KEY" \
  -d '{
  "tool": "security-scanner",
  "skill": "security_report",
  "input": {
    "target": "example.com"
  }
}' \
  https://api.toolrouter.com/v1/tools/call
Loading reviews...
Loading activity...
v0.042026-03-25
  • Merged security-httpx probe_hosts skill — one tool for all security checks
  • Multi-source enrichment: URLhaus + ThreatFox (free) on all checks, AbuseIPDB on IP checks
  • Added security_report — comprehensive one-shot audit with risk scoring
  • Now queries 5 threat intelligence sources in parallel per check
v0.032026-03-25
  • Renamed to security-scanner
  • Added VirusTotal threat intelligence: check_url, check_domain, check_ip, check_hash
  • Now scans URLs, domains, IPs, and file hashes against 70+ antivirus engines
v0.022026-03-22
  • Added subtitle, expanded description, and agent instructions
v0.012026-03-20
  • Initial release as security-nuclei

Quick Start

MCP (Claude Code)
claude mcp add --transport stdio \
  --env TOOLROUTER_API_KEY=YOUR_API_KEY \
  toolrouter -- npx -y toolrouter-mcp
REST API
curl -H "Authorization: Bearer $TOOLROUTER_API_KEY" \
  -d '{"tool":"security-scanner","skill":"check_url","input":{}}' \
  https://api.toolrouter.com/v1/tools/call

Frequently Asked Questions

What kind of checks does Security Scanner combine?

It combines reputation lookups for URLs, domains, IPs, and file hashes with host probing, vulnerability scanning, and a one-shot security report. That makes it useful when you want both threat intelligence and basic exposure checks in one place.

Which skill should I use for a suspicious site, server, or file?

Use `check_url` for a full URL, `check_domain` for a domain reputation check, `check_ip` for an IP address, and `check_hash` for a file hash. If you want a broader web-target assessment, use `probe_hosts`, `scan_targets`, or `security_report`.

Does it actively scan targets or only query threat feeds?

It does both. The reputation skills query security data sources, while `probe_hosts` inspects HTTP, TLS, and security headers and `scan_targets` checks for common exposures and vulnerabilities.

Is it instant or does it run asynchronously?

Most reputation checks return quickly. The broader `scan_targets` and `security_report` flows can take longer and are better treated as async security jobs.