aiden-runtime 3.19.4 → 3.19.6

package/workspace-templates/skills/test-driven-development/SKILL.md

@@ -0,0 +1,164 @@
+---
+name: test-driven-development
+description: Write software using the RED-GREEN-REFACTOR cycle for reliable, well-tested code
+category: developer
+version: 1.0.0
+origin: aiden
+license: Apache-2.0
+tags: tdd, testing, red-green-refactor, unit-tests, pytest, jest, vitest, quality, development
+---
+
+# Test-Driven Development (TDD)
+
+Use the RED-GREEN-REFACTOR cycle to write reliable, well-tested software. Write tests first, then write the minimal code to pass them, then clean up.
+
+## When to Use
+
+- User wants to implement a new function or module correctly
+- User wants to ensure edge cases are handled before they become bugs
+- User is refactoring and wants a safety net
+- User wants tests for business-critical logic
+- User wants to document behavior through executable tests
+
+## How to Use
+
+### The TDD cycle
+
+```
+RED    → Write a failing test for the behavior you want
+GREEN  → Write the minimum code to make the test pass
+REFACTOR → Clean up the code without breaking tests
+Repeat for each small behavior increment
+```
+
+### Phase 1: RED — Write a failing test first
+
+Write the test before the implementation. It must fail to prove the test works.
+
+```python
+# test_calculator.py — write this BEFORE calculator.py
+import pytest
+from calculator import add
+
+def test_add_two_positive_numbers():
+  assert add(2, 3) == 5
+
+def test_add_negative_number():
+  assert add(-1, 5) == 4
+
+def test_add_floats():
+  assert abs(add(0.1, 0.2) - 0.3) < 1e-9
+```
+
+Run the tests — they should fail with `ModuleNotFoundError` or `ImportError`:
+
+```powershell
+pytest test_calculator.py -v
+# Expected: FAILED (module not found)
+```
+
+### Phase 2: GREEN — Minimal implementation to pass
+
+Write only enough code to make the tests pass — nothing more.
+
+```python
+# calculator.py
+def add(a, b):
+  return a + b
+```
+
+```powershell
+pytest test_calculator.py -v
+# Expected: 3 PASSED
+```
+
+### Phase 3: REFACTOR — Improve code quality
+
+Clean up implementation and tests while keeping all tests green.
+
+```python
+# calculator.py — add type hints and docstring
+def add(a: float, b: float) -> float:
+  """Return the sum of a and b."""
+  return a + b
+```
+
+```powershell
+pytest test_calculator.py -v  # must still pass after refactor
+```
+
+### Write tests with pytest (Python)
+
+```python
+# Parametrize for multiple cases
+@pytest.mark.parametrize("a,b,expected", [
+  (2, 3, 5),
+  (-1, 5, 4),
+  (0, 0, 0),
+  (1.5, 2.5, 4.0),
+])
+def test_add(a, b, expected):
+  assert add(a, b) == expected
+
+# Test exceptions
+def test_add_rejects_string():
+  with pytest.raises(TypeError):
+    add("hello", 2)
+```
+
+### Write tests with Vitest / Jest (TypeScript / JavaScript)
+
+```typescript
+// calculator.test.ts
+import { describe, it, expect } from 'vitest'
+import { add } from './calculator'
+
+describe('add()', () => {
+  it('adds two positive numbers', () => {
+    expect(add(2, 3)).toBe(5)
+  })
+
+  it('handles negative numbers', () => {
+    expect(add(-1, 5)).toBe(4)
+  })
+
+  it('throws on non-number input', () => {
+    expect(() => add('a' as any, 2)).toThrow()
+  })
+})
+```
+
+### TDD for API endpoints
+
+```python
+# test_api.py — RED first
+def test_create_user_returns_201(client):
+  resp = client.post("/users", json={"name": "Alice", "email": "alice@example.com"})
+  assert resp.status_code == 201
+  assert resp.json()["id"] is not None
+
+def test_create_user_rejects_missing_email(client):
+  resp = client.post("/users", json={"name": "Alice"})
+  assert resp.status_code == 422
+
+# Then implement the /users endpoint to make these pass
+```
+
+## Examples
+
+**"Implement a function that validates Indian phone numbers"**
+→ RED: write tests for +91 10-digit numbers, reject 9-digit, reject letters. GREEN: implement regex. REFACTOR: add named groups, docstring.
+
+**"Add a discount calculator to the checkout module"**
+→ RED: test 10% off, 0% off, 100% off, reject negative discount. GREEN: minimal implementation. REFACTOR: extract constants, add type hints.
+
+**"I want to refactor this function but keep it working"**
+→ Write characterization tests first (tests that document current behavior), then refactor with test safety net.
+
+## Cautions
+
+- Never skip the RED phase — a test that was never failing might not actually test anything
+- Tests should be independent — each test must set up its own state and not depend on test order
+- Aim for one assertion per test — tests with multiple assertions are harder to diagnose when they fail
+- TDD is slower upfront but faster overall — set this expectation with the user
+- Mock external services (APIs, databases) in unit tests — test real integrations separately

package/workspace-templates/skills/test-driven-development/skill.json

@@ -0,0 +1,25 @@
+{
+  "name": "test-driven-development",
+  "version": "1.0.0",
+  "description": "Write software using the RED-GREEN-REFACTOR cycle for reliable, well-tested code",
+  "author": "aiden",
+  "license": "MIT",
+  "tools": [],
+  "trigger_phrases": [],
+  "compatible_agents": [
+    "aiden"
+  ],
+  "min_agent_version": "3.0.0",
+  "tags": [
+    "tdd",
+    "testing",
+    "red-green-refactor",
+    "unit-tests",
+    "pytest",
+    "jest",
+    "vitest",
+    "quality",
+    "development"
+  ],
+  "created": "2026-04-27T17:11:40.912Z"
+}

package/workspace-templates/skills/urlscan/SKILL.md

@@ -0,0 +1,118 @@
+---
+name: urlscan
+description: Submit URLs for automated malware and phishing analysis, then retrieve safety verdicts and screenshots via urlscan.io
+category: security
+version: 1.0.0
+license: Apache-2.0
+origin: aiden
+tags: security, malware, phishing, url, scan, osint, urlscan, threat-intel
+env_required:
+  - URLSCAN_API_KEY
+---
+
+# URL Safety Scanner (urlscan.io)
+
+Submit any URL for analysis and receive a safety verdict, screenshot, and DNS/HTTP metadata. Uses the [urlscan.io](https://urlscan.io) API.
+
+**Requires:** Free `URLSCAN_API_KEY` — sign up at urlscan.io, no credit card needed.
+
+## When to Use
+
+- User receives a suspicious link and wants to check it safely
+- User wants to verify if a URL is phishing or malware
+- User asks "is this link safe?" or "scan this URL for threats"
+- Security review of links before sharing them
+- OSINT: see what a URL looks like without visiting it yourself
+
+## How to Use
+
+### Submit a URL for scanning
+
+```powershell
+$url    = "https://suspicious-site.example.com"
+$key    = $env:URLSCAN_API_KEY
+$body   = '{"url": "' + $url + '", "visibility": "unlisted"}'
+
+$submit = Invoke-RestMethod -Uri "https://urlscan.io/api/v1/scan/" `
+    -Method POST `
+    -Headers @{ "API-Key" = $key; "Content-Type" = "application/json" } `
+    -Body $body
+
+Write-Host "Scan submitted!"
+Write-Host "UUID:    $($submit.uuid)"
+Write-Host "Results: $($submit.result)"
+Write-Host "Waiting 30 seconds for scan to complete..."
+Start-Sleep -Seconds 30
+```
+
+### Retrieve scan results after waiting
+
+```powershell
+$uuid   = "PASTE-UUID-FROM-SUBMIT-STEP"
+$key    = $env:URLSCAN_API_KEY
+
+$result = Invoke-RestMethod -Uri "https://urlscan.io/api/v1/result/$uuid/" `
+    -Headers @{ "API-Key" = $key }
+
+Write-Host "Final URL:   $($result.page.url)"
+Write-Host "IP:          $($result.page.ip)"
+Write-Host "Country:     $($result.page.country)"
+Write-Host "Malicious:   $($result.verdicts.overall.malicious)"
+Write-Host "Phishing:    $($result.verdicts.overall.phishing)"
+Write-Host "Score:       $($result.verdicts.overall.score)"
+Write-Host "Screenshot:  https://urlscan.io/screenshots/$uuid.png"
+```
+
+### One-shot: submit and wait for result
+
+```powershell
+function Scan-Url {
+    param([string]$TargetUrl, [string]$ApiKey = $env:URLSCAN_API_KEY)
+
+    $body   = '{"url": "' + $TargetUrl + '", "visibility": "unlisted"}'
+    $submit = Invoke-RestMethod -Uri "https://urlscan.io/api/v1/scan/" `
+        -Method POST -Headers @{ "API-Key" = $ApiKey; "Content-Type" = "application/json" } `
+        -Body $body
+    $uuid = $submit.uuid
+
+    Write-Host "Scanning $TargetUrl (uuid: $uuid)..."
+    Start-Sleep -Seconds 30
+
+    $result = Invoke-RestMethod -Uri "https://urlscan.io/api/v1/result/$uuid/" `
+        -Headers @{ "API-Key" = $ApiKey }
+
+    [PSCustomObject]@{
+        URL       = $result.page.url
+        IP        = $result.page.ip
+        Malicious = $result.verdicts.overall.malicious
+        Phishing  = $result.verdicts.overall.phishing
+        Score     = $result.verdicts.overall.score
+        Report    = "https://urlscan.io/result/$uuid/"
+    }
+}
+
+Scan-Url -TargetUrl "https://example.com"
+```
+
+## Examples
+
+**"Check if this link is safe: https://bit.ly/abc123"**
+→ Submit with visibility "unlisted", wait 30 seconds, retrieve result.
+
+**"Scan this suspicious email link for phishing"**
+→ Use the one-shot function above. If `Phishing = True`, warn the user.
+
+**"I want to see what this URL looks like without clicking it"**
+→ Submit the scan, then use the screenshot URL: `https://urlscan.io/screenshots/{uuid}.png`
+
+## Cautions
+
+- Scans take 20–60 seconds to complete — always wait before fetching results
+- `"visibility": "public"` makes the scan visible to all urlscan.io users — use `"unlisted"` for sensitive URLs
+- Do not scan URLs that contain personal data or credentials in query parameters
+- Free tier allows ~5 scans per minute — add delays for bulk scanning
+- The API key is required to submit scans; public search results are accessible without a key
+
+## Requirements
+
+- `URLSCAN_API_KEY` — free account at https://urlscan.io (no credit card required)

package/workspace-templates/skills/urlscan/index.ts

@@ -0,0 +1,94 @@
+// skills/urlscan/index.ts
+// Programmatic handler — submits URLs and retrieves verdicts via urlscan.io API.
+
+import { ApiSkill, requireApiKey } from '../../core/apiSkillBase'
+
+const skill = new ApiSkill({
+  name:       'urlscan',
+  baseUrl:    'https://urlscan.io/api/v1',
+  apiKeyEnv:  'URLSCAN_API_KEY',
+  authType:   'header',
+  authHeader: 'API-Key',
+  rateLimit:  { requests: 5, windowMs: 60_000 },
+  timeout:    20_000,
+})
+
+export type Visibility = 'public' | 'unlisted' | 'private'
+
+export interface ScanSubmit {
+  uuid:       string
+  result:     string
+  api:        string
+  visibility: string
+  message:    string
+}
+
+export interface ScanVerdict {
+  malicious: boolean
+  phishing:  boolean
+  score:     number
+  tags:      string[]
+}
+
+export interface ScanResult {
+  uuid:       string
+  url:        string
+  ip:         string
+  country:    string
+  malicious:  boolean
+  phishing:   boolean
+  score:      number
+  reportUrl:  string
+  screenshot: string
+}
+
+/** Submit a URL for scanning. Returns the UUID — call getResult() after ~30s. */
+export async function submitScan(url: string, visibility: Visibility = 'unlisted'): Promise<ScanSubmit> {
+  requireApiKey('URLSCAN_API_KEY')
+  return skill.post('/scan/', { url, visibility })
+}
+
+/** Retrieve a completed scan by UUID. */
+export async function getResult(uuid: string): Promise<ScanResult> {
+  requireApiKey('URLSCAN_API_KEY')
+
+  const raw = await skill.get(`/result/${uuid}/`)
+
+  return {
+    uuid,
+    url:        raw.page?.url        ?? '',
+    ip:         raw.page?.ip         ?? '',
+    country:    raw.page?.country    ?? '',
+    malicious:  raw.verdicts?.overall?.malicious ?? false,
+    phishing:   raw.verdicts?.overall?.phishing  ?? false,
+    score:      raw.verdicts?.overall?.score     ?? 0,
+    reportUrl:  `https://urlscan.io/result/${uuid}/`,
+    screenshot: `https://urlscan.io/screenshots/${uuid}.png`,
+  }
+}
+
+/** Submit and poll for result (waits up to maxWaitMs). */
+export async function scanAndWait(
+  url: string,
+  visibility: Visibility = 'unlisted',
+  maxWaitMs = 60_000,
+): Promise<ScanResult> {
+  requireApiKey('URLSCAN_API_KEY')
+
+  const submit  = await submitScan(url, visibility)
+  const uuid    = submit.uuid
+  const poll    = 10_000
+  const start   = Date.now()
+
+  while (Date.now() - start < maxWaitMs) {
+    await new Promise(r => setTimeout(r, poll))
+    try {
+      return await getResult(uuid)
+    } catch (e: any) {
+      // 404 means scan is still in progress
+      if (!e.message.includes('HTTP 404')) throw e
+    }
+  }
+
+  throw new Error(`urlscan: scan ${uuid} did not complete within ${maxWaitMs / 1000}s`)
+}

package/workspace-templates/skills/urlscan/skill.json

@@ -0,0 +1,24 @@
+{
+  "name": "urlscan",
+  "version": "1.0.0",
+  "description": "Submit URLs for automated malware and phishing analysis, then retrieve safety verdicts and screenshots via urlscan.io",
+  "author": "aiden",
+  "license": "MIT",
+  "tools": [],
+  "trigger_phrases": [],
+  "compatible_agents": [
+    "aiden"
+  ],
+  "min_agent_version": "3.0.0",
+  "tags": [
+    "security",
+    "malware",
+    "phishing",
+    "url",
+    "scan",
+    "osint",
+    "urlscan",
+    "threat-intel"
+  ],
+  "created": "2026-04-27T17:11:41.053Z"
+}

package/workspace-templates/skills/virustotal/SKILL.md

@@ -0,0 +1,120 @@
+---
+name: virustotal
+description: Check file hashes, URLs, domains, and IP addresses against 70+ antivirus engines and threat intelligence feeds via VirusTotal
+category: security
+version: 1.0.0
+license: Apache-2.0
+origin: aiden
+tags: security, virustotal, malware, antivirus, threat-intel, hash, url, domain, ip, incident-response
+env_required:
+  - VIRUSTOTAL_API_KEY
+---
+
+# VirusTotal — Threat Intelligence
+
+VirusTotal aggregates results from 70+ antivirus engines and threat intelligence feeds. Check file hashes, URLs, domains, and IP addresses for known malware, phishing, and suspicious activity.
+
+**Requires:** `VIRUSTOTAL_API_KEY` — free at https://www.virustotal.com/gui/my-apikey (4 req/min on free tier).
+
+## When to Use
+
+- User has a file hash and wants to know if it is malware
+- User has a suspicious URL and wants a reputation check
+- User is investigating an incident and needs threat context for a domain or IP
+- User asks "is this hash malicious?", "check this URL", or "is this domain flagged?"
+- SOC/IR workflow: triage IOCs (indicators of compromise) quickly
+
+## How to Use
+
+### Check a file hash (MD5, SHA-1, or SHA-256)
+
+```powershell
+$hash = "44d88612fea8a8f36de82e1278abb02f"   # EICAR test file
+$key  = $env:VIRUSTOTAL_API_KEY
+$url  = "https://www.virustotal.com/api/v3/files/$hash"
+
+$result = Invoke-RestMethod -Uri $url -Headers @{ "x-apikey" = $key }
+$stats  = $result.data.attributes.last_analysis_stats
+Write-Host "File: $($result.data.attributes.meaningful_name)"
+Write-Host "Malicious:  $($stats.malicious) / $($stats.malicious + $stats.undetected + $stats.harmless)"
+Write-Host "Suspicious: $($stats.suspicious)"
+Write-Host "First seen: $($result.data.attributes.first_submission_date)"
+```
+
+### Check a URL for malware or phishing
+
+```powershell
+$targetUrl = "https://example.com"
+$key       = $env:VIRUSTOTAL_API_KEY
+
+# URL id = URL-safe base64 without padding
+$bytes  = [System.Text.Encoding]::UTF8.GetBytes($targetUrl)
+$b64    = [Convert]::ToBase64String($bytes).Replace('+','-').Replace('/','_').TrimEnd('=')
+$url    = "https://www.virustotal.com/api/v3/urls/$b64"
+
+$result = Invoke-RestMethod -Uri $url -Headers @{ "x-apikey" = $key }
+$stats  = $result.data.attributes.last_analysis_stats
+Write-Host "URL: $targetUrl"
+Write-Host "Malicious:  $($stats.malicious)"
+Write-Host "Phishing:   $($result.data.attributes.categories -join ', ')"
+Write-Host "Reputation: $($result.data.attributes.reputation)"
+```
+
+### Check a domain's reputation
+
+```powershell
+$domain = "example.com"
+$key    = $env:VIRUSTOTAL_API_KEY
+$url    = "https://www.virustotal.com/api/v3/domains/$domain"
+
+$result = Invoke-RestMethod -Uri $url -Headers @{ "x-apikey" = $key }
+$attrs  = $result.data.attributes
+Write-Host "Domain:     $domain"
+Write-Host "Reputation: $($attrs.reputation)"
+Write-Host "Categories: $($attrs.categories.PSObject.Properties.Value -join ', ')"
+$stats  = $attrs.last_analysis_stats
+Write-Host "Malicious:  $($stats.malicious) engines"
+```
+
+### Check an IP address
+
+```powershell
+$ip  = "1.1.1.1"
+$key = $env:VIRUSTOTAL_API_KEY
+$url = "https://www.virustotal.com/api/v3/ip_addresses/$ip"
+
+$result = Invoke-RestMethod -Uri $url -Headers @{ "x-apikey" = $key }
+$attrs  = $result.data.attributes
+$stats  = $attrs.last_analysis_stats
+Write-Host "IP:           $ip"
+Write-Host "AS Owner:     $($attrs.as_owner)"
+Write-Host "Country:      $($attrs.country)"
+Write-Host "Reputation:   $($attrs.reputation)"
+Write-Host "Malicious:    $($stats.malicious) engines"
+```
+
+## Examples
+
+**"Is hash 44d88612fea8a8f36de82e1278abb02f malware?"**
+→ Use the file hash check — malicious count > 0 means confirmed threats.
+
+**"Check if https://suspicious-login.com is phishing"**
+→ Use the URL check — look at `malicious` and `phishing` categories.
+
+**"I got an alert for domain evil-c2.net — is it known bad?"**
+→ Use the domain check — look at reputation score and malicious engine count.
+
+**"This IP keeps hitting our firewall — is it a known attacker?"**
+→ Use the IP check — `reputation < 0` and high malicious count = treat as threat.
+
+## Cautions
+
+- Free tier rate limit: 4 requests per minute — add `Start-Sleep -Seconds 16` between calls when checking multiple IOCs
+- VirusTotal results reflect last scan time; for fresh analysis you must submit (POST /files or POST /urls) — not covered here
+- A clean result (0 detections) does not guarantee safety — new malware may not yet be in the database
+- File hashes are public — never submit sensitive files directly; only submit the hash
+- Reputation score: positive = clean, 0 = neutral, negative = suspicious/malicious
+
+## Requirements
+
+- `VIRUSTOTAL_API_KEY` — free account at https://www.virustotal.com/gui/join-us

package/workspace-templates/skills/virustotal/index.ts

@@ -0,0 +1,124 @@
+// skills/virustotal/index.ts
+// Programmatic handler — file, URL, domain, and IP reputation via VirusTotal v3 API.
+
+import { ApiSkill, requireApiKey } from '../../core/apiSkillBase'
+
+const skill = new ApiSkill({
+  name:       'virustotal',
+  baseUrl:    'https://www.virustotal.com/api/v3',
+  apiKeyEnv:  'VIRUSTOTAL_API_KEY',
+  authType:   'header',
+  authHeader: 'x-apikey',
+  rateLimit:  { requests: 4, windowMs: 60_000 },
+  timeout:    20_000,
+  retries:    3,
+})
+
+export interface AnalysisStats {
+  malicious:   number
+  suspicious:  number
+  undetected:  number
+  harmless:    number
+  timeout:     number
+}
+
+export interface VTReport {
+  id:          string
+  name:        string
+  reputation:  number
+  stats:       AnalysisStats
+  categories:  string[]
+  lastAnalysis: string
+}
+
+/** Encode a URL to the VirusTotal URL identifier (URL-safe base64, no padding). */
+function urlId(url: string): string {
+  return Buffer.from(url).toString('base64url')
+}
+
+function extractStats(attrs: any): AnalysisStats {
+  const s = attrs?.last_analysis_stats ?? {}
+  return {
+    malicious:  s.malicious  ?? 0,
+    suspicious: s.suspicious ?? 0,
+    undetected: s.undetected ?? 0,
+    harmless:   s.harmless   ?? 0,
+    timeout:    s.timeout    ?? 0,
+  }
+}
+
+function extractCategories(attrs: any): string[] {
+  if (!attrs?.categories) return []
+  if (Array.isArray(attrs.categories)) return attrs.categories as string[]
+  // categories can be an object of { engine: category } — return unique values
+  return [...new Set(Object.values(attrs.categories) as string[])]
+}
+
+/** Check a file hash (MD5, SHA-1, or SHA-256) against VirusTotal. */
+export async function fileReport(hash: string): Promise<VTReport> {
+  requireApiKey('VIRUSTOTAL_API_KEY')
+
+  const raw   = await skill.get(`/files/${encodeURIComponent(hash)}`)
+  const attrs = raw.data?.attributes ?? {}
+
+  return {
+    id:           raw.data?.id                          ?? hash,
+    name:         attrs.meaningful_name                  ?? attrs.name ?? hash,
+    reputation:   attrs.reputation                       ?? 0,
+    stats:        extractStats(attrs),
+    categories:   extractCategories(attrs),
+    lastAnalysis: attrs.last_analysis_date               ?? '',
+  }
+}
+
+/** Check a URL's reputation via VirusTotal. */
+export async function urlReport(url: string): Promise<VTReport> {
+  requireApiKey('VIRUSTOTAL_API_KEY')
+
+  const id    = urlId(url)
+  const raw   = await skill.get(`/urls/${id}`)
+  const attrs = raw.data?.attributes ?? {}
+
+  return {
+    id,
+    name:         url,
+    reputation:   attrs.reputation   ?? 0,
+    stats:        extractStats(attrs),
+    categories:   extractCategories(attrs),
+    lastAnalysis: attrs.last_analysis_date ?? '',
+  }
+}
+
+/** Check a domain's reputation via VirusTotal. */
+export async function domainReport(domain: string): Promise<VTReport> {
+  requireApiKey('VIRUSTOTAL_API_KEY')
+
+  const raw   = await skill.get(`/domains/${encodeURIComponent(domain)}`)
+  const attrs = raw.data?.attributes ?? {}
+
+  return {
+    id:           raw.data?.id         ?? domain,
+    name:         domain,
+    reputation:   attrs.reputation     ?? 0,
+    stats:        extractStats(attrs),
+    categories:   extractCategories(attrs),
+    lastAnalysis: attrs.last_analysis_date ?? '',
+  }
+}
+
+/** Check an IP address reputation via VirusTotal. */
+export async function ipReport(ip: string): Promise<VTReport> {
+  requireApiKey('VIRUSTOTAL_API_KEY')
+
+  const raw   = await skill.get(`/ip_addresses/${encodeURIComponent(ip)}`)
+  const attrs = raw.data?.attributes ?? {}
+
+  return {
+    id:           raw.data?.id         ?? ip,
+    name:         ip,
+    reputation:   attrs.reputation     ?? 0,
+    stats:        extractStats(attrs),
+    categories:   extractCategories(attrs),
+    lastAnalysis: attrs.last_analysis_date ?? '',
+  }
+}

package/workspace-templates/skills/virustotal/skill.json

@@ -0,0 +1,26 @@
+{
+  "name": "virustotal",
+  "version": "1.0.0",
+  "description": "Check file hashes, URLs, domains, and IP addresses against 70+ antivirus engines and threat intelligence feeds via VirusTotal",
+  "author": "aiden",
+  "license": "MIT",
+  "tools": [],
+  "trigger_phrases": [],
+  "compatible_agents": [
+    "aiden"
+  ],
+  "min_agent_version": "3.0.0",
+  "tags": [
+    "security",
+    "virustotal",
+    "malware",
+    "antivirus",
+    "threat-intel",
+    "hash",
+    "url",
+    "domain",
+    "ip",
+    "incident-response"
+  ],
+  "created": "2026-04-27T17:11:41.082Z"
+}