thor-skills
Entry point and router for THOR-related work: running scans, analyzing THOR logs, troubleshooting THOR behavior, maintaining THOR installs, THOR Lens workflows, writing THOR plugins (v11+), and creating custom signatures/IOCs.
Best use case
thor-skills is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Entry point and router for THOR-related work: running scans, analyzing THOR logs, troubleshooting THOR behavior, maintaining THOR installs, THOR Lens workflows, writing THOR plugins (v11+), and creating custom signatures/IOCs.
Teams using thor-skills should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
How thor-skills Compares
| Feature / Agent | thor-skills | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Entry point and router for THOR-related work: running scans, analyzing THOR logs, troubleshooting THOR behavior, maintaining THOR installs, THOR Lens workflows, writing THOR plugins (v11+), and creating custom signatures/IOCs.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# THOR Skills This is the root skill. It routes requests to the right sub-skill and enforces a few global rules. Global rules - Don't invent THOR flags or behavior. If something is unclear, ask for the missing detail instead of guessing. - Prefer reproducible commands: explicit paths, explicit output directory, explicit mode. - Keep changes safe: don't recommend deleting evidence or modifying the target system unless the user explicitly asks. - Default focus is forensic / lab workflows. If it's live endpoint scanning, call that out and keep it conservative. - THOR versions: v10 is stable; v11 is TechPreview. Some features are v11-only. In particular, THOR Lens relies on the audit trail output, which requires THOR v11 and is not available in THOR v10. - THOR Lite vs full THOR: Lite is a free scanner with reduced features (~5 modules, ~4k open source signatures, no Sigma, no lab mode, no audit trail). Identify which version the user has before troubleshooting missing features. ## Routing rules - If the user wants to run a scan or asks "what command should I run" - use thor-scan (also covers THOR Lite scanning with appropriate flag adjustments). - If the user pasted results or asks "what does this finding mean" - use thor-log-analysis. - If the user reports hangs, slowness, crashes, missing output, license/update weirdness - use thor-troubleshooting. - If the user asks about update/upgrade/report generation/yara-forge/offline packs - use thor-maintenance. - If the user asks about THOR Lens, forensic timeline viewing, importing audit trails, or MCP integration for timeline analysis - use thor-lens (note: requires full THOR v11, not compatible with THOR Lite). - If the user asks about thor10.db/thor11.db, scan timing, performance tuning, slow rules, or resume state - use thor-db. - If the user asks why a feature is missing, expects full THOR behavior from Lite, or asks about Lite limitations - use thor-lite. - If the user wants to write a plugin, extend THOR functionality, parse custom formats, or asks about the plugin API - use thor-plugins (requires THOR v11+). - If the user wants to create custom IOCs, YARA rules, Sigma rules, STIX indicators, or asks about the custom-signatures folder - use custom-signatures. ## Minimum inputs to collect (only what's needed) - OS (Windows/Linux/macOS) - THOR version (v10 or v11) and install path - License situation if relevant (lab vs standard vs unknown) - Target type: live path vs mounted image vs memory dump vs log-only analysis - Where outputs/logs should go ## Available Skills - [thor-scan/](thor-scan/) - Run THOR scans and produce the exact command line for the target scenario - [thor-log-analysis/](thor-log-analysis/) - Triage and interpret THOR logs and findings - [thor-troubleshooting/](thor-troubleshooting/) - Diagnose stuck/slow/failed THOR runs and recommend next actions - [thor-maintenance/](thor-maintenance/) - Update/upgrade THOR, manage signature packs, generate reports - [thor-lens/](thor-lens/) - THOR Lens forensic timeline viewer; import audit trails, web UI, MCP integration (requires THOR v11) - [thor-db/](thor-db/) - Analyze ThorDB (thor10.db/thor11.db) for performance tuning and diagnostics - [thor-lite/](thor-lite/) - THOR Lite limitations, workarounds, and guidance for the free scanner - [thor-plugins/](thor-plugins/) - Write custom THOR plugins to extend scanner functionality (requires THOR v11+) - [custom-signatures/](custom-signatures/) - Create custom IOCs, YARA rules, Sigma rules, and STIX indicators
Related Skills
thor-troubleshooting
Troubleshoot THOR runs that are stuck, slow, failing to start, stopping early, or produce missing output. Use when the user reports freezes, long runtimes, high CPU pauses, scan aborts, or licensing/update issues.
thor-scan
Run THOR scans and propose the exact command line for Windows, Linux, or macOS. Use when the user wants to scan a host, a directory, a mounted image, or a memory dump with THOR v10/v11.
thor-plugins
Write, package, and use THOR plugins to extend scanner functionality. THOR v11+ only.
thor-maintenance
Maintain THOR installs using thor-util: update signatures, upgrade versions, download offline packs, generate reports, manage YARA-Forge. Use when the user asks about updating/upgrading/report generation.
thor-log-analysis
Interpret THOR scan results and explain what findings mean. Use when the user pastes THOR log lines, shares a log file, or asks how to triage Notices/Warnings/Alerts.
THOR Lite Skill
THOR Lite is a free scanner with reduced features compared to full THOR. This skill handles Lite-specific guidance, limitations, and workarounds.
thor-lens
THOR Lens workflows for forensic timeline analysis. A web UI that imports THOR v11 audit trail JSONL logs for interactive exploration. Requires THOR v11 (audit trail not available in v10).
thor-db
Analyze THOR's SQLite database (thor10.db/thor11.db) for performance tuning, scan timing, resume state, and delta comparisons. Use when investigating slow scans, debugging performance, or understanding what THOR tracked.
custom-signatures
Create and deploy custom IOCs, YARA rules, Sigma rules, and STIX indicators for THOR scans.
cairo-contract-authoring
Guides Cairo smart-contract authoring on Starknet with language fundamentals, safe structure choices, component composition, and implementation workflow references.
skills-cleanup
How to clean up duplicate/untracked skills in the skills repo
testing-api-for-broken-object-level-authorization
测试REST和GraphQL API中的越权对象访问(BOLA/IDOR)漏洞,即已认证用户通过操纵API请求中的对象标识符 来访问或修改属于其他用户的资源。测试人员拦截API调用,识别对象ID参数(数字ID、UUID、slug), 并系统性地替换为其他用户的ID,以确定服务器是否执行了对象级授权。 对应OWASP API安全Top 10 2023 API1(越权对象访问)。