nextronsystems/thor-plugins
thor-plugins/SKILL.md
Write, package, and use THOR plugins to extend scanner functionality. THOR v11+ only.
$ install --global
skillsauthnpx skillsauth add nextronsystems/thor-skill thor-pluginsInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 8, 2026, 2:34 AM11.0s8 files scanned
SKILL.md
- name:
- thor-plugins
- description:
- Write, package, and use THOR plugins to extend scanner functionality. THOR v11+ only.
THOR Plugins Skill
Goal: Help users write custom THOR plugins and integrate them into scans.
Overview
THOR Plugins (v11+) allow extending THOR with custom functionality written in Go:
- Parse file formats THOR doesn't natively support
- Implement complex detection logic beyond YARA/Sigma
- Post-process findings (upload samples, enrich data, trigger alerts)
Plugins are ZIP archives containing Go code, executed by THOR via the yaegi interpreter.
Requirements
- THOR v11 or later (plugins not available in v10 or THOR Lite)
- Go installed for development (go 1.21+)
- Basic Go programming knowledge
Key Concepts
- Plugin Structure: ZIP containing
plugin.go,metadata.yml, optionalvendor/directory - Init Function: Entry point
func Init(config, logger, actions)called at scan start - Hooks: Register callbacks for YARA/Sigma matches or post-processing
- Scanner Interface: Within hooks, scan extracted data, log messages, add findings
Plugin Types by Use Case
| Use Case | Hook Type | Example |
|----------|-----------|---------|
| Parse custom file format | AddRuleHook with YARA trigger | ZIP parser, Defender quarantine extractor |
| Log/alert on matches | AddRuleHook | Registry autorun logger |
| Upload/collect samples | AddPostProcessingHook | HTTP sample collector |
| Enrich findings | AddPostProcessingHook | VirusTotal lookup, MITRE tagging |
Workflow
- Start from template or existing example
- Define YARA rule to trigger on target files (if needed)
- Implement hook callback with custom logic
- Create
metadata.ymlwith plugin info - Package as ZIP:
zip -r plugin.zip *.go metadata.yml vendor/ - Place in THOR's
plugins/directory - Run THOR - plugin loads automatically
Reference Documentation
- Getting Started - Create your first plugin
- Plugin API - Full API reference
- Packaging - How to package and deploy plugins
Examples
- examples/zipparser.md - Parse and scan ZIP contents
- examples/defender-quarantine.md - Decrypt Defender quarantine files
- examples/httpcollector.md - Upload samples via HTTP
- examples/registry-autoruns.md - Log registry autorun entries
Common Pitfalls
- Plugins use yaegi interpreter - no
unsafeorsyscallpackages - External dependencies must be vendored (
go mod vendor) - Plugin ZIP must have
package mainin root .go file - YARA rules in plugins need unique tags for hooks
- Post-processing hooks only fire on findings, not all scanned files
Debugging
# Run THOR with debug to see plugin loading
./thor-macosx --debug | grep -i plugin
# Check plugin initialization messages
./thor-macosx 2>&1 | grep "plugin"
Related Skills
nextronsystems/thor-troubleshooting
data-ai
VerifiedTrustedCommunity
Troubleshoot THOR runs that are stuck, slow, failing to start, stopping early, or produce missing output. Use when the user reports freezes, long runtimes, high CPU pauses, scan aborts, or licensing/update issues.
9SKILL.mdUpdated Apr 8, 2026
nextronsystems/thor-scan
content-media
VerifiedTrustedCommunity
Run THOR scans and propose the exact command line for Windows, Linux, or macOS. Use when the user wants to scan a host, a directory, a mounted image, or a memory dump with THOR v10/v11.
9SKILL.mdUpdated Apr 8, 2026
nextronsystems/thor-maintenance
development
VerifiedTrustedCommunity
--- name: thor-maintenance description: Maintain THOR installs using thor-util: update signatures, upgrade versions, download offline packs, generate reports, manage YARA-Forge. Use when the user asks about updating/upgrading/report generation. --- # THOR Maintenance Skill Rules - Be precise about thor-util verbs: - update = signatures - upgrade = program + signatures, keep config - download = full pack incl config (offline use case) - Prefer stable signatures; mention sigdev only for urg
9SKILL.mdUpdated Apr 8, 2026
nextronsystems/thor-log-analysis
data-ai
VerifiedTrustedCommunity
Interpret THOR scan results and explain what findings mean. Use when the user pastes THOR log lines, shares a log file, or asks how to triage Notices/Warnings/Alerts.
9SKILL.mdUpdated Apr 8, 2026