thor-plugins

Write, package, and use THOR plugins to extend scanner functionality. THOR v11+ only.

Best use case

thor-plugins is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Write, package, and use THOR plugins to extend scanner functionality. THOR v11+ only.

Teams using thor-plugins should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/thor-plugins/SKILL.md --create-dirs "https://raw.githubusercontent.com/NextronSystems/thor-skill/main/thor-plugins/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/thor-plugins/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How thor-plugins Compares

Feature / Agentthor-pluginsStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

Write, package, and use THOR plugins to extend scanner functionality. THOR v11+ only.

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# THOR Plugins Skill

Goal: Help users write custom THOR plugins and integrate them into scans.

## Overview

THOR Plugins (v11+) allow extending THOR with custom functionality written in Go:

- Parse file formats THOR doesn't natively support
- Implement complex detection logic beyond YARA/Sigma
- Post-process findings (upload samples, enrich data, trigger alerts)

Plugins are ZIP archives containing Go code, executed by THOR via the yaegi interpreter.

## Requirements

- THOR v11 or later (plugins not available in v10 or THOR Lite)
- Go installed for development (go 1.21+)
- Basic Go programming knowledge

## Key Concepts

1. **Plugin Structure**: ZIP containing `plugin.go`, `metadata.yml`, optional `vendor/` directory
2. **Init Function**: Entry point `func Init(config, logger, actions)` called at scan start
3. **Hooks**: Register callbacks for YARA/Sigma matches or post-processing
4. **Scanner Interface**: Within hooks, scan extracted data, log messages, add findings

## Plugin Types by Use Case

| Use Case | Hook Type | Example |
|----------|-----------|---------|
| Parse custom file format | `AddRuleHook` with YARA trigger | ZIP parser, Defender quarantine extractor |
| Log/alert on matches | `AddRuleHook` | Registry autorun logger |
| Upload/collect samples | `AddPostProcessingHook` | HTTP sample collector |
| Enrich findings | `AddPostProcessingHook` | VirusTotal lookup, MITRE tagging |

## Workflow

1. Start from template or existing example
2. Define YARA rule to trigger on target files (if needed)
3. Implement hook callback with custom logic
4. Create `metadata.yml` with plugin info
5. Package as ZIP: `zip -r plugin.zip *.go metadata.yml vendor/`
6. Place in THOR's `plugins/` directory
7. Run THOR - plugin loads automatically

## Reference Documentation

- [Getting Started](reference/getting-started.md) - Create your first plugin
- [Plugin API](reference/plugin-api.md) - Full API reference
- [Packaging](reference/packaging.md) - How to package and deploy plugins

## Examples

- [examples/zipparser.md](examples/zipparser.md) - Parse and scan ZIP contents
- [examples/defender-quarantine.md](examples/defender-quarantine.md) - Decrypt Defender quarantine files
- [examples/httpcollector.md](examples/httpcollector.md) - Upload samples via HTTP
- [examples/registry-autoruns.md](examples/registry-autoruns.md) - Log registry autorun entries

## Common Pitfalls

- Plugins use yaegi interpreter - no `unsafe` or `syscall` packages
- External dependencies must be vendored (`go mod vendor`)
- Plugin ZIP must have `package main` in root .go file
- YARA rules in plugins need unique tags for hooks
- Post-processing hooks only fire on findings, not all scanned files

## Debugging

```bash
# Run THOR with debug to see plugin loading
./thor-macosx --debug | grep -i plugin

# Check plugin initialization messages
./thor-macosx 2>&1 | grep "plugin"
```

Related Skills

thor-troubleshooting

8
from NextronSystems/thor-skill

Troubleshoot THOR runs that are stuck, slow, failing to start, stopping early, or produce missing output. Use when the user reports freezes, long runtimes, high CPU pauses, scan aborts, or licensing/update issues.

thor-scan

8
from NextronSystems/thor-skill

Run THOR scans and propose the exact command line for Windows, Linux, or macOS. Use when the user wants to scan a host, a directory, a mounted image, or a memory dump with THOR v10/v11.

thor-maintenance

8
from NextronSystems/thor-skill

Maintain THOR installs using thor-util: update signatures, upgrade versions, download offline packs, generate reports, manage YARA-Forge. Use when the user asks about updating/upgrading/report generation.

thor-log-analysis

8
from NextronSystems/thor-skill

Interpret THOR scan results and explain what findings mean. Use when the user pastes THOR log lines, shares a log file, or asks how to triage Notices/Warnings/Alerts.

THOR Lite Skill

8
from NextronSystems/thor-skill

THOR Lite is a free scanner with reduced features compared to full THOR. This skill handles Lite-specific guidance, limitations, and workarounds.

thor-skills

8
from NextronSystems/thor-skill

Entry point and router for THOR-related work: running scans, analyzing THOR logs, troubleshooting THOR behavior, maintaining THOR installs, THOR Lens workflows, writing THOR plugins (v11+), and creating custom signatures/IOCs.

custom-signatures

8
from NextronSystems/thor-skill

Create and deploy custom IOCs, YARA rules, Sigma rules, and STIX indicators for THOR scans.

cairo-contract-authoring

9
from cartridge-gg/nums

Guides Cairo smart-contract authoring on Starknet with language fundamentals, safe structure choices, component composition, and implementation workflow references.

nx-plugins

9
from wahidyankf/open-sharia-enterprise

Find and add Nx plugins. USE WHEN user wants to discover available plugins, install a new plugin, or add support for a specific framework or technology to the workspace.

thor-troubleshooting

9
from Nextron-Labs/thor-skill

Troubleshoot THOR runs that are stuck, slow, failing to start, stopping early, or produce missing output. Use when the user reports freezes, long runtimes, high CPU pauses, scan aborts, or licensing/update issues.

thor-scan

9
from Nextron-Labs/thor-skill

Run THOR scans and propose the exact command line for Windows, Linux, or macOS. Use when the user wants to scan a host, a directory, a mounted image, or a memory dump with THOR v10/v11.

thor-plugins

9
from Nextron-Labs/thor-skill

Write, package, and use THOR plugins to extend scanner functionality. THOR v11+ only.