thor-scan

Run THOR scans and propose the exact command line for Windows, Linux, or macOS. Use when the user wants to scan a host, a directory, a mounted image, or a memory dump with THOR v10/v11.

Best use case

thor-scan is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Run THOR scans and propose the exact command line for Windows, Linux, or macOS. Use when the user wants to scan a host, a directory, a mounted image, or a memory dump with THOR v10/v11.

Teams using thor-scan should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/thor-scan/SKILL.md --create-dirs "https://raw.githubusercontent.com/NextronSystems/thor-skill/main/thor-scan/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/thor-scan/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How thor-scan Compares

Feature / Agentthor-scanStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

Run THOR scans and propose the exact command line for Windows, Linux, or macOS. Use when the user wants to scan a host, a directory, a mounted image, or a memory dump with THOR v10/v11.

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# THOR Scan Skill

Goal: produce a safe, reproducible THOR command line and minimal preflight checks.

Rules

- Prefer THOR v10 stable unless the user explicitly wants v11 TechPreview features.
- Always start with environment detection: OS, THOR path, license presence, and whether thor-util exists.
- Identify if user has full THOR or THOR Lite (different binaries, different capabilities).
- Avoid "magic flags". Explain why each non-trivial flag is used.
- Default to focusing on forensic / lab workflows; if it's live endpoint scanning, keep it conservative.

Preflight checklist

1. List the THOR install directory first (`ls` or `dir`). This immediately tells you:
   - Which THOR version you have (binary names contain "lite" for THOR Lite)
   - What binaries and tools are available
   - What license files exist
2. Verify the correct binary exists:
   - Full THOR: `thor64.exe` (Windows), `thor-linux-64` (Linux), `thor-macosx` (macOS)
   - THOR Lite: `thor64-lite.exe` (Windows), `thor-lite-linux-64` (Linux), `thor-lite-macos` (macOS)
3. If recommending `--lab` mode, check license type first:
   - `grep -i forensiclab *.lic` - if found, `--lab` is available
   - If not found (or THOR Lite), use alternative: `-a Filescan --intense --norescontrol --cross-platform`
4. Check thor-util presence for update/diagnostics/report tasks.
5. Identify scan target type:
   - live path, mounted image, memory dump, extracted dumps, SSHFS-mounted remote
6. Choose scan mode and output location; keep outputs deterministic.
7. If THOR Lite: note that lab mode and Sigma are unavailable. See [THOR Lite limitations](../thor-lite/SKILL.md).

Important flag rules

- **Never use `--lab --intense` together** - `--lab` already includes intense mode
- **Check license before recommending `--lab`** - requires Forensic Lab license
- **THOR Lite has no `--lab`** - always use the alternative flag combination

Use these references when needed

- Environment detection: [reference/env-detection.md](reference/env-detection.md)
- Scan modes overview: [reference/scan-modes.md](reference/scan-modes.md)
- Forensic lab mode: [reference/lab-mode.md](reference/lab-mode.md)
- Performance and threading: [reference/performance.md](reference/performance.md)
- Output and reports: [reference/output-and-reporting.md](reference/output-and-reporting.md)
- Signature selectors/filters: [reference/signature-filtering.md](reference/signature-filtering.md)
- THOR Lite limitations: [../thor-lite/reference/limitations.md](../thor-lite/reference/limitations.md)

Example templates
- examples/windows-live-scan.md
- examples/linux-mounted-image.md
- examples/macos-scan.md
- examples/memory-dump.md
- examples/sshfs-remote-scan.md - for appliances and unsupported architectures

Output format
- First line: one recommended command (single-line).
- Then: short explanation of key flags.
- Then: "If it fails" section with 2-3 likely causes and next commands to run.

Related Skills

thor-troubleshooting

8
from NextronSystems/thor-skill

Troubleshoot THOR runs that are stuck, slow, failing to start, stopping early, or produce missing output. Use when the user reports freezes, long runtimes, high CPU pauses, scan aborts, or licensing/update issues.

thor-plugins

8
from NextronSystems/thor-skill

Write, package, and use THOR plugins to extend scanner functionality. THOR v11+ only.

thor-maintenance

8
from NextronSystems/thor-skill

Maintain THOR installs using thor-util: update signatures, upgrade versions, download offline packs, generate reports, manage YARA-Forge. Use when the user asks about updating/upgrading/report generation.

thor-log-analysis

8
from NextronSystems/thor-skill

Interpret THOR scan results and explain what findings mean. Use when the user pastes THOR log lines, shares a log file, or asks how to triage Notices/Warnings/Alerts.

THOR Lite Skill

8
from NextronSystems/thor-skill

THOR Lite is a free scanner with reduced features compared to full THOR. This skill handles Lite-specific guidance, limitations, and workarounds.

thor-skills

8
from NextronSystems/thor-skill

Entry point and router for THOR-related work: running scans, analyzing THOR logs, troubleshooting THOR behavior, maintaining THOR installs, THOR Lens workflows, writing THOR plugins (v11+), and creating custom signatures/IOCs.

custom-signatures

8
from NextronSystems/thor-skill

Create and deploy custom IOCs, YARA rules, Sigma rules, and STIX indicators for THOR scans.

cairo-contract-authoring

9
from cartridge-gg/nums

Guides Cairo smart-contract authoring on Starknet with language fundamentals, safe structure choices, component composition, and implementation workflow references.

scanpy

9
from tondevrel/scientific-agent-skills

Scalable toolkit for analyzing single-cell gene expression data. Built on top of Anndata, focusing on clustering, trajectory inference, and visualization.

thor-troubleshooting

9
from Nextron-Labs/thor-skill

Troubleshoot THOR runs that are stuck, slow, failing to start, stopping early, or produce missing output. Use when the user reports freezes, long runtimes, high CPU pauses, scan aborts, or licensing/update issues.

thor-scan

9
from Nextron-Labs/thor-skill

Run THOR scans and propose the exact command line for Windows, Linux, or macOS. Use when the user wants to scan a host, a directory, a mounted image, or a memory dump with THOR v10/v11.

thor-plugins

9
from Nextron-Labs/thor-skill

Write, package, and use THOR plugins to extend scanner functionality. THOR v11+ only.