thor-scan
Run THOR scans and propose the exact command line for Windows, Linux, or macOS. Use when the user wants to scan a host, a directory, a mounted image, or a memory dump with THOR v10/v11.
Best use case
thor-scan is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Run THOR scans and propose the exact command line for Windows, Linux, or macOS. Use when the user wants to scan a host, a directory, a mounted image, or a memory dump with THOR v10/v11.
Teams using thor-scan should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/thor-scan/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How thor-scan Compares
| Feature / Agent | thor-scan | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Run THOR scans and propose the exact command line for Windows, Linux, or macOS. Use when the user wants to scan a host, a directory, a mounted image, or a memory dump with THOR v10/v11.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# THOR Scan Skill Goal: produce a safe, reproducible THOR command line and minimal preflight checks. Rules - Prefer THOR v10 stable unless the user explicitly wants v11 TechPreview features. - Always start with environment detection: OS, THOR path, license presence, and whether thor-util exists. - Identify if user has full THOR or THOR Lite (different binaries, different capabilities). - Avoid "magic flags". Explain why each non-trivial flag is used. - Default to focusing on forensic / lab workflows; if it's live endpoint scanning, keep it conservative. Preflight checklist 1. List the THOR install directory first (`ls` or `dir`). This immediately tells you: - Which THOR version you have (binary names contain "lite" for THOR Lite) - What binaries and tools are available - What license files exist 2. Verify the correct binary exists: - Full THOR: `thor64.exe` (Windows), `thor-linux-64` (Linux), `thor-macosx` (macOS) - THOR Lite: `thor64-lite.exe` (Windows), `thor-lite-linux-64` (Linux), `thor-lite-macos` (macOS) 3. If recommending `--lab` mode, check license type first: - `grep -i forensiclab *.lic` - if found, `--lab` is available - If not found (or THOR Lite), use alternative: `-a Filescan --intense --norescontrol --cross-platform` 4. Check thor-util presence for update/diagnostics/report tasks. 5. Identify scan target type: - live path, mounted image, memory dump, extracted dumps, SSHFS-mounted remote 6. Choose scan mode and output location; keep outputs deterministic. 7. If THOR Lite: note that lab mode and Sigma are unavailable. See [THOR Lite limitations](../thor-lite/SKILL.md). Important flag rules - **Never use `--lab --intense` together** - `--lab` already includes intense mode - **Check license before recommending `--lab`** - requires Forensic Lab license - **THOR Lite has no `--lab`** - always use the alternative flag combination Use these references when needed - Environment detection: [reference/env-detection.md](reference/env-detection.md) - Scan modes overview: [reference/scan-modes.md](reference/scan-modes.md) - Forensic lab mode: [reference/lab-mode.md](reference/lab-mode.md) - Performance and threading: [reference/performance.md](reference/performance.md) - Output and reports: [reference/output-and-reporting.md](reference/output-and-reporting.md) - Signature selectors/filters: [reference/signature-filtering.md](reference/signature-filtering.md) - THOR Lite limitations: [../thor-lite/reference/limitations.md](../thor-lite/reference/limitations.md) Example templates - examples/windows-live-scan.md - examples/linux-mounted-image.md - examples/macos-scan.md - examples/memory-dump.md - examples/sshfs-remote-scan.md - for appliances and unsupported architectures Output format - First line: one recommended command (single-line). - Then: short explanation of key flags. - Then: "If it fails" section with 2-3 likely causes and next commands to run.
Related Skills
thor-troubleshooting
Troubleshoot THOR runs that are stuck, slow, failing to start, stopping early, or produce missing output. Use when the user reports freezes, long runtimes, high CPU pauses, scan aborts, or licensing/update issues.
thor-plugins
Write, package, and use THOR plugins to extend scanner functionality. THOR v11+ only.
thor-maintenance
Maintain THOR installs using thor-util: update signatures, upgrade versions, download offline packs, generate reports, manage YARA-Forge. Use when the user asks about updating/upgrading/report generation.
thor-log-analysis
Interpret THOR scan results and explain what findings mean. Use when the user pastes THOR log lines, shares a log file, or asks how to triage Notices/Warnings/Alerts.
THOR Lite Skill
THOR Lite is a free scanner with reduced features compared to full THOR. This skill handles Lite-specific guidance, limitations, and workarounds.
thor-lens
THOR Lens workflows for forensic timeline analysis. A web UI that imports THOR v11 audit trail JSONL logs for interactive exploration. Requires THOR v11 (audit trail not available in v10).
thor-db
Analyze THOR's SQLite database (thor10.db/thor11.db) for performance tuning, scan timing, resume state, and delta comparisons. Use when investigating slow scans, debugging performance, or understanding what THOR tracked.
thor-skills
Entry point and router for THOR-related work: running scans, analyzing THOR logs, troubleshooting THOR behavior, maintaining THOR installs, THOR Lens workflows, writing THOR plugins (v11+), and creating custom signatures/IOCs.
custom-signatures
Create and deploy custom IOCs, YARA rules, Sigma rules, and STIX indicators for THOR scans.
cairo-contract-authoring
Guides Cairo smart-contract authoring on Starknet with language fundamentals, safe structure choices, component composition, and implementation workflow references.
scanpy
Scalable toolkit for analyzing single-cell gene expression data. Built on top of Anndata, focusing on clustering, trajectory inference, and visualization.
testing-api-for-broken-object-level-authorization
测试REST和GraphQL API中的越权对象访问(BOLA/IDOR)漏洞,即已认证用户通过操纵API请求中的对象标识符 来访问或修改属于其他用户的资源。测试人员拦截API调用,识别对象ID参数(数字ID、UUID、slug), 并系统性地替换为其他用户的ID,以确定服务器是否执行了对象级授权。 对应OWASP API安全Top 10 2023 API1(越权对象访问)。