THOR Lite Skill
THOR Lite is a free scanner with reduced features compared to full THOR. This skill handles Lite-specific guidance, limitations, and workarounds.
Best use case
THOR Lite Skill is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
THOR Lite is a free scanner with reduced features compared to full THOR. This skill handles Lite-specific guidance, limitations, and workarounds.
Teams using THOR Lite Skill should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/thor-lite/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How THOR Lite Skill Compares
| Feature / Agent | THOR Lite Skill | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
THOR Lite is a free scanner with reduced features compared to full THOR. This skill handles Lite-specific guidance, limitations, and workarounds.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# THOR Lite Skill THOR Lite is a free scanner with reduced features compared to full THOR. This skill handles Lite-specific guidance, limitations, and workarounds. ## When to Use This Skill - User is running THOR Lite (binary name contains "lite") - User asks why a feature is missing or disabled - User expects "full THOR" behavior from Lite - User wants lab-like scanning with Lite - User asks about Lite vs full THOR differences ## How to Identify THOR Lite Check for these indicators in scan output: 1. **Binary name**: `thor64-lite.exe`, `thor-lite-linux-64`, `thor-lite-macos` 2. **Version header**: Shows "THOR Lite" or "Lite" in the banner 3. **Startup messages**: - "Some modules and features are not available in Lite version and will be disabled" - "Disabled components ... REASON: Component is not available in THOR Lite" - "REASON: License restrictions" If unclear, ask the user for the first ~50 lines of their THOR output. ## Binary Names | Platform | Scanner | Utility | |----------|---------|---------| | Windows | `thor64-lite.exe` | `thor-lite-util.exe` | | Linux | `thor-lite-linux-64` | `thor-lite-util` | | macOS | `thor-lite-macos` | `thor-lite-util` | ## Key Limitations | Feature | Available in Lite? | |---------|-------------------| | Lab mode (`--lab`) | No | | Sigma rules | No | | Audit trail | No | | THOR Lens integration | No | | Full module set (~31) | No (~5 modules) | | Private signatures (30k+) | No (~4k open source) | | Commercial use | No | ## Lab-Like Scanning Workaround Since `--lab` is not available, use this flag combination for intensive scanning: ```bash # Windows thor64-lite.exe -a Filescan --intense --norescontrol --cross-platform -p <path> # Linux ./thor-lite-linux-64 -a Filescan --intense --norescontrol --cross-platform -p <path> # macOS ./thor-lite-macos -a Filescan --intense --norescontrol --cross-platform -p <path> ``` Be explicit: this provides **similar behavior, not equal** to full lab scanning. ## Setting Expectations When users run THOR Lite: 1. **Fewer detections expected** – Open source signatures only (~4k vs 30k+ YARA rules) 2. **Modules are limited** – Many persistence and analysis modules are disabled 3. **No Sigma** – Event log analysis with Sigma rules requires full THOR 4. **No Lens** – Audit trail output requires full THOR v11 5. **Scan may seem quiet** – This is normal for Lite's reduced module set ## When to Suggest Full THOR Recommend upgrading when user needs: - Sigma/event log scanning - Audit trail for THOR Lens - Broader detection coverage - Full module set - Commercial/paid engagement use Keep recommendations factual, not promotional. ## Rules 1. **Identify Lite early** – Check binary name and startup output before troubleshooting missing features 2. **Set expectations** – Lite is for triage; missing detections are expected 3. **Provide workarounds** – Use the lab-like flag combo when appropriate 4. **Don't promise full features** – Workarounds approximate but don't equal full THOR 5. **Note license restrictions** – Commercial use requires full THOR ## References - [THOR Lite Limitations](reference/limitations.md) – Full feature comparison and workarounds ## Cross-References - [Environment Detection](../thor-scan/reference/env-detection.md) – Binary detection and identification - [Lab Mode](../thor-scan/reference/lab-mode.md) – Full THOR lab mode documentation - [THOR Lens](../thor-lens/SKILL.md) – Requires full THOR v11 (not compatible with Lite)
Related Skills
thor-troubleshooting
Troubleshoot THOR runs that are stuck, slow, failing to start, stopping early, or produce missing output. Use when the user reports freezes, long runtimes, high CPU pauses, scan aborts, or licensing/update issues.
thor-scan
Run THOR scans and propose the exact command line for Windows, Linux, or macOS. Use when the user wants to scan a host, a directory, a mounted image, or a memory dump with THOR v10/v11.
thor-plugins
Write, package, and use THOR plugins to extend scanner functionality. THOR v11+ only.
thor-maintenance
Maintain THOR installs using thor-util: update signatures, upgrade versions, download offline packs, generate reports, manage YARA-Forge. Use when the user asks about updating/upgrading/report generation.
thor-log-analysis
Interpret THOR scan results and explain what findings mean. Use when the user pastes THOR log lines, shares a log file, or asks how to triage Notices/Warnings/Alerts.
thor-lens
THOR Lens workflows for forensic timeline analysis. A web UI that imports THOR v11 audit trail JSONL logs for interactive exploration. Requires THOR v11 (audit trail not available in v10).
thor-db
Analyze THOR's SQLite database (thor10.db/thor11.db) for performance tuning, scan timing, resume state, and delta comparisons. Use when investigating slow scans, debugging performance, or understanding what THOR tracked.
thor-skills
Entry point and router for THOR-related work: running scans, analyzing THOR logs, troubleshooting THOR behavior, maintaining THOR installs, THOR Lens workflows, writing THOR plugins (v11+), and creating custom signatures/IOCs.
custom-signatures
Create and deploy custom IOCs, YARA rules, Sigma rules, and STIX indicators for THOR scans.
cairo-contract-authoring
Guides Cairo smart-contract authoring on Starknet with language fundamentals, safe structure choices, component composition, and implementation workflow references.
testing-api-for-broken-object-level-authorization
测试REST和GraphQL API中的越权对象访问(BOLA/IDOR)漏洞,即已认证用户通过操纵API请求中的对象标识符 来访问或修改属于其他用户的资源。测试人员拦截API调用,识别对象ID参数(数字ID、UUID、slug), 并系统性地替换为其他用户的ID,以确定服务器是否执行了对象级授权。 对应OWASP API安全Top 10 2023 API1(越权对象访问)。
performing-sqlite-database-forensics
对 SQLite 数据库执行取证分析,从空闲列表(Freelist)和 WAL 文件中恢复已删除记录,解码编码时间戳,并从浏览器历史、即时通讯应用和移动设备数据库中提取证据。