nextronsystems/thor-lens
thor-lens/SKILL.md
THOR Lens workflows for forensic timeline analysis. A web UI that imports THOR v11 audit trail JSONL logs for interactive exploration. Requires THOR v11 (audit trail not available in v10).
$ install --global
skillsauthnpx skillsauth add nextronsystems/thor-skill thor-lensInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 8, 2026, 2:33 AM16.5s15 files scanned
SKILL.md
- name:
- thor-lens
- description:
- THOR Lens workflows for forensic timeline analysis. A web UI that imports THOR v11 audit trail JSONL logs for interactive exploration. Requires THOR v11 (audit trail not available in v10).
THOR Lens Skill
THOR Lens is a forensic timeline viewer that transforms THOR v11 audit trail files into an interactive exploration interface.
Critical Boundary:
- THOR Lens is a web UI application - users interact in the browser
- The CLI handles build, import, and serve - not scanning
- THOR Lens does not scan - it visualizes data from THOR scans
- Requires THOR v11 audit trail output (v10 does not produce this format)
- Not compatible with THOR Lite - Lite cannot generate audit trail output
Quickstart
# 1. Clone and build
git clone https://github.com/NextronSystems/thor-lens.git
cd thor-lens
make build
# 2. Import an audit trail
./thorlens import --log /path/to/audit.jsonl --case mycase
# 3. Serve and open browser
./thorlens serve --case ./cases/mycase --port 8080
# Open http://127.0.0.1:8080
When to Use THOR Lens
- Investigating timelines from THOR v11 scans
- Correlating events across time ranges
- Exploring high-score detections and their context
- Annotating findings with tags, comments, bookmarks
- MCP integration with Claude Code for AI-assisted analysis
References
- Quickstart - Get running in 5 minutes
- Build & Prerequisites - Go, Node.js, make requirements
- Import & Cases - Importing audit trails, case structure
- Serve & UI - Web server, UI features, keyboard shortcuts
- MCP Integration - Claude Code setup, MCP tools
- Audit Trail Generation - THOR v11 commands for audit trail
Troubleshooting
- Common Issues - Build, import, serve problems
- Empty UI - Why the timeline shows nothing
- MCP Issues - Connection and configuration problems
Examples
- End-to-End Local - Full workflow on local machine
- Case from Mounted Image - Forensic image workflow
- Case from SSHFS - Remote system via SSH mount
Helper Scripts
- scripts/validate_audit_trail.sh - Check audit trail file validity
- scripts/case_inventory.sh - List case contents and stats
Key Facts
| Item | Value |
|------|-------|
| Upstream repo | https://github.com/NextronSystems/thor-lens |
| Default port | 8080 |
| Case storage | ./cases/<name>/ |
| Input format | JSONL (.jsonl or .jsonl.gz) |
| MCP stdio | ./thorlens serve --case <path> --mcp-stdio |
| MCP HTTP | http://localhost:8080/mcp (default) |
Workflow Rules
- Always verify audit trail was generated with THOR v11 before importing
- Use
--virtual-mapand-jduring THOR scans to preserve path/hostname context - MCP stdio mode is recommended for Claude Code integration
- Never expose MCP HTTP endpoint publicly (no authentication)
- If user has THOR Lite, explain that Lens is not an option - Lite lacks audit trail capability. See THOR Lite limitations.
Related Skills
nextronsystems/thor-troubleshooting
data-ai
VerifiedTrustedCommunity
Troubleshoot THOR runs that are stuck, slow, failing to start, stopping early, or produce missing output. Use when the user reports freezes, long runtimes, high CPU pauses, scan aborts, or licensing/update issues.
9SKILL.mdUpdated Apr 8, 2026
nextronsystems/thor-scan
content-media
VerifiedTrustedCommunity
Run THOR scans and propose the exact command line for Windows, Linux, or macOS. Use when the user wants to scan a host, a directory, a mounted image, or a memory dump with THOR v10/v11.
9SKILL.mdUpdated Apr 8, 2026
nextronsystems/thor-plugins
tools
VerifiedTrustedCommunity
Write, package, and use THOR plugins to extend scanner functionality. THOR v11+ only.
9SKILL.mdUpdated Apr 8, 2026
nextronsystems/thor-maintenance
development
VerifiedTrustedCommunity
--- name: thor-maintenance description: Maintain THOR installs using thor-util: update signatures, upgrade versions, download offline packs, generate reports, manage YARA-Forge. Use when the user asks about updating/upgrading/report generation. --- # THOR Maintenance Skill Rules - Be precise about thor-util verbs: - update = signatures - upgrade = program + signatures, keep config - download = full pack incl config (offline use case) - Prefer stable signatures; mention sigdev only for urg
9SKILL.mdUpdated Apr 8, 2026