Check URLs Before Clicking
Scan suspicious links against threat intelligence feeds before opening them or sharing them with colleagues.
Investigate Suspicious IP Addresses
Check IP addresses against abuse databases and threat feeds to assess risk before allowing traffic into your network.
Tool
When an unusual IP appears in your server logs, authentication events, or firewall alerts, you need a fast answer: is this address associated with known abuse, scanning activity, or malicious infrastructure? Manually checking IPs one by one across different abuse databases burns time and produces inconsistent results.
Security Scanner's `check_ip` skill queries abuse databases and threat intelligence feeds for a given IP, returning reputation scores, abuse reports, geolocation context, and any known association with botnets or malicious actors. You can check 200 IP addresses from a log export and get risk-ranked results in minutes.
SOC analysts, system administrators, and network security teams use this to triage authentication spikes, evaluate new traffic sources, and build block lists from firewall logs.
Agent Guides
Claude
- Connect ToolRouter in Claude: claude mcp add toolrouter -- npx -y toolrouter-mcp
- Paste the IP addresses from your logs or alert into the conversation.
- Ask Claude to check each IP via `security-scanner` using `check_ip`.
ChatGPT
- Connect ToolRouter in ChatGPT: {"mcpServers":{"toolrouter":{"command":"npx","args":["-y","toolrouter-mcp"]}}}
- Paste the IP addresses and provide the context — which service they hit and when.
- Ask ChatGPT to run `check_ip` for each one via `security-scanner`.
Copilot
- Connect ToolRouter in Copilot: {"mcpServers":{"toolrouter":{"command":"npx","args":["-y","toolrouter-mcp"]}}}
- Extract the IPs from a log file or structured application event in your workspace.
- Ask Copilot to run `check_ip` for each IP via `security-scanner`.
OpenClaw
- Connect ToolRouter in OpenClaw: openclaw mcp add toolrouter -- npx -y toolrouter-mcp
- Export the IP list from your firewall logs, SIEM, or network scan output.
- Run `security-scanner` with `check_ip` for each IP and collect the results in a normalized schema.
Related Use Cases
Scan Domain Reputation
Check domains against threat intelligence feeds to catch malicious infrastructure, brand impersonation, and newly registered lookalikes.
Verify File Hashes for Malware
Check MD5, SHA1, or SHA256 file hashes against threat intelligence databases to determine if a file is known malware before executing it.
Generate a Security Report
Run a comprehensive security assessment across a domain or IP and get a structured report covering all threat vectors in one pass.