nextronsystems/thor-db
thor-db/SKILL.md
Analyze THOR's SQLite database (thor10.db/thor11.db) for performance tuning, scan timing, resume state, and delta comparisons. Use when investigating slow scans, debugging performance, or understanding what THOR tracked.
$ install --global
skillsauthnpx skillsauth add nextronsystems/thor-skill thor-dbInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 8, 2026, 2:33 AM21.3s7 files scanned
SKILL.md
- name:
- thor-db
- description:
- Analyze THOR's SQLite database (thor10.db/thor11.db) for performance tuning, scan timing, resume state, and delta comparisons. Use when investigating slow scans, debugging performance, or understanding what THOR tracked.
THOR DB Skill
THOR maintains an SQLite database for timing telemetry, scan resume state, and delta comparisons between scans.
What ThorDB Covers
- Performance telemetry – Timing data for rules, modules, and scan elements
- Scan resume state – Markers to continue interrupted scans
- Delta comparison – Compare current vs previous module results for
--diffmode
Quick Commands
Disable ThorDB:
# v11
thor64.exe --exclude-component ThorDB -p C:\
# v10
thor64.exe --nothordb -p C:\
Override location (v11):
thor64.exe --thordb-path /custom/path/ -p C:\
Find the database:
# Windows admin
dir C:\ProgramData\thor\thor*.db
# Linux root
ls -la /var/lib/thor/thor*.db
# Linux user
ls -la ~/.local/state/thor/thor*.db
Open with SQLite:
sqlite3 /var/lib/thor/thor10.db
Use Cases
Performance Analysis
When THOR is slow, check what's taking time:
-- Top time sinks overall
SELECT category, element, count, duration/1e9 AS seconds
FROM times ORDER BY duration DESC LIMIT 20;
Identifying Slow Rules
Find rules or elements with high average time:
SELECT category, element, count,
(duration*1.0/count)/1e9 AS avg_seconds
FROM times WHERE count >= 5
ORDER BY (duration*1.0/count) DESC LIMIT 20;
Resume Investigation
Check resume markers and scan metadata:
SELECT key, value FROM tbl ORDER BY key;
Resume Behavior
Resume requires ThorDB to be enabled and command line arguments to match.
THOR v11 Resume Flags
# Resume if state exists, otherwise run full scan
thor64.exe --resume-scan -p C:\
# Resume only if state exists, fail otherwise
thor64.exe --resume-only -p C:\
To clear resume state: run THOR once without --resume-scan.
THOR v10 Resume Flags
# Enable resume tracking (required since v10.5)
thor64.exe --resume -p C:\
Since THOR 10.5, resume state is not tracked by default due to performance implications. Start scans with --resume to enable resume capability.
To clear resume state: run THOR once without --resume.
References
- Database Locations - Where to find ThorDB
- Schema Reference - Tables and columns
- Useful Queries - Analysis queries
Scripts
- thor_db_top_times.py - Top time consumers
- thor_db_export_csv.py - Export to CSV/JSON
- thor_db_slow_rules_hint.py - Tuning hints
Detecting DB Name
THOR 10 uses thor10.db, THOR 11 uses thor11.db. Older deployments may show thor.db.
# Check binary strings
strings ./thor-linux-64 | grep -E 'thor[0-9]+\.db'
# Or trace file opens during scan
strace -f -e openat ./thor-linux-64 --quick -p /tmp 2>&1 | grep -E 'thor[0-9]+\.db'
Related Skills
nextronsystems/thor-troubleshooting
data-ai
VerifiedTrustedCommunity
Troubleshoot THOR runs that are stuck, slow, failing to start, stopping early, or produce missing output. Use when the user reports freezes, long runtimes, high CPU pauses, scan aborts, or licensing/update issues.
9SKILL.mdUpdated Apr 8, 2026
nextronsystems/thor-scan
content-media
VerifiedTrustedCommunity
Run THOR scans and propose the exact command line for Windows, Linux, or macOS. Use when the user wants to scan a host, a directory, a mounted image, or a memory dump with THOR v10/v11.
9SKILL.mdUpdated Apr 8, 2026
nextronsystems/thor-plugins
tools
VerifiedTrustedCommunity
Write, package, and use THOR plugins to extend scanner functionality. THOR v11+ only.
9SKILL.mdUpdated Apr 8, 2026
nextronsystems/thor-maintenance
development
VerifiedTrustedCommunity
--- name: thor-maintenance description: Maintain THOR installs using thor-util: update signatures, upgrade versions, download offline packs, generate reports, manage YARA-Forge. Use when the user asks about updating/upgrading/report generation. --- # THOR Maintenance Skill Rules - Be precise about thor-util verbs: - update = signatures - upgrade = program + signatures, keep config - download = full pack incl config (offline use case) - Prefer stable signatures; mention sigdev only for urg
9SKILL.mdUpdated Apr 8, 2026