Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

nextronsystems/thor-scan

Name: thor-scan
Author: nextronsystems

thor-scan/SKILL.md

npx skillsauth add nextronsystems/thor-skill thor-scan

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

THOR Scan Skill

Goal: produce a safe, reproducible THOR command line and minimal preflight checks.

Rules

Prefer THOR v10 stable unless the user explicitly wants v11 TechPreview features.
Always start with environment detection: OS, THOR path, license presence, and whether thor-util exists.
Identify if user has full THOR or THOR Lite (different binaries, different capabilities).
Avoid "magic flags". Explain why each non-trivial flag is used.
Default to focusing on forensic / lab workflows; if it's live endpoint scanning, keep it conservative.

Preflight checklist

List the THOR install directory first (ls or dir). This immediately tells you:
- Which THOR version you have (binary names contain "lite" for THOR Lite)
- What binaries and tools are available
- What license files exist
Verify the correct binary exists:
- Full THOR: thor64.exe (Windows), thor-linux-64 (Linux), thor-macosx (macOS)
- THOR Lite: thor64-lite.exe (Windows), thor-lite-linux-64 (Linux), thor-lite-macos (macOS)
If recommending --lab mode, check license type first:
- grep -i forensiclab *.lic - if found, --lab is available
- If not found (or THOR Lite), use alternative: -a Filescan --intense --norescontrol --cross-platform
Check thor-util presence for update/diagnostics/report tasks.
Identify scan target type:
- live path, mounted image, memory dump, extracted dumps, SSHFS-mounted remote
Choose scan mode and output location; keep outputs deterministic.
If THOR Lite: note that lab mode and Sigma are unavailable. See THOR Lite limitations.

Important flag rules

Never use --lab --intense together - --lab already includes intense mode
Check license before recommending --lab - requires Forensic Lab license
THOR Lite has no --lab - always use the alternative flag combination

Use these references when needed

Environment detection: reference/env-detection.md
Scan modes overview: reference/scan-modes.md
Forensic lab mode: reference/lab-mode.md
Performance and threading: reference/performance.md
Output and reports: reference/output-and-reporting.md
Signature selectors/filters: reference/signature-filtering.md
THOR Lite limitations: ../thor-lite/reference/limitations.md

Example templates

examples/windows-live-scan.md
examples/linux-mounted-image.md
examples/macos-scan.md
examples/memory-dump.md
examples/sshfs-remote-scan.md - for appliances and unsupported architectures

Output format

First line: one recommended command (single-line).
Then: short explanation of key flags.
Then: "If it fails" section with 2-3 likely causes and next commands to run.

nextronsystems/thor-scan

thor-scan/SKILL.md

Run THOR scans and propose the exact command line for Windows, Linux, or macOS. Use when the user wants to scan a host, a directory, a mounted image, or a memory dump with THOR v10/v11.

9 stars

content-media

Updated Apr 8, 2026

$ install --global

skillsauth

npx skillsauth add nextronsystems/thor-skill thor-scan

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: Apr 8, 2026, 2:35 AM12.3s12 files scanned

SKILL.md

name:: thor-scan
description:: Run THOR scans and propose the exact command line for Windows, Linux, or macOS. Use when the user wants to scan a host, a directory, a mounted image, or a memory dump with THOR v10/v11.

THOR Scan Skill

Goal: produce a safe, reproducible THOR command line and minimal preflight checks.

Rules

Prefer THOR v10 stable unless the user explicitly wants v11 TechPreview features.
Always start with environment detection: OS, THOR path, license presence, and whether thor-util exists.
Identify if user has full THOR or THOR Lite (different binaries, different capabilities).
Avoid "magic flags". Explain why each non-trivial flag is used.
Default to focusing on forensic / lab workflows; if it's live endpoint scanning, keep it conservative.

Preflight checklist

List the THOR install directory first (ls or dir). This immediately tells you:
- Which THOR version you have (binary names contain "lite" for THOR Lite)
- What binaries and tools are available
- What license files exist
Verify the correct binary exists:
- Full THOR: thor64.exe (Windows), thor-linux-64 (Linux), thor-macosx (macOS)
- THOR Lite: thor64-lite.exe (Windows), thor-lite-linux-64 (Linux), thor-lite-macos (macOS)
If recommending --lab mode, check license type first:
- grep -i forensiclab *.lic - if found, --lab is available
- If not found (or THOR Lite), use alternative: -a Filescan --intense --norescontrol --cross-platform
Check thor-util presence for update/diagnostics/report tasks.
Identify scan target type:
- live path, mounted image, memory dump, extracted dumps, SSHFS-mounted remote
Choose scan mode and output location; keep outputs deterministic.
If THOR Lite: note that lab mode and Sigma are unavailable. See THOR Lite limitations.

Important flag rules

Never use --lab --intense together - --lab already includes intense mode
Check license before recommending --lab - requires Forensic Lab license
THOR Lite has no --lab - always use the alternative flag combination

Use these references when needed

Environment detection: reference/env-detection.md
Scan modes overview: reference/scan-modes.md
Forensic lab mode: reference/lab-mode.md
Performance and threading: reference/performance.md
Output and reports: reference/output-and-reporting.md
Signature selectors/filters: reference/signature-filtering.md
THOR Lite limitations: ../thor-lite/reference/limitations.md

Example templates

examples/windows-live-scan.md
examples/linux-mounted-image.md
examples/macos-scan.md
examples/memory-dump.md
examples/sshfs-remote-scan.md - for appliances and unsupported architectures

Output format

First line: one recommended command (single-line).
Then: short explanation of key flags.
Then: "If it fails" section with 2-3 likely causes and next commands to run.

Related Skills

nextronsystems/thor-troubleshooting

data-ai

VerifiedTrustedCommunity

Troubleshoot THOR runs that are stuck, slow, failing to start, stopping early, or produce missing output. Use when the user reports freezes, long runtimes, high CPU pauses, scan aborts, or licensing/update issues.

9SKILL.mdUpdated Apr 8, 2026

nextronsystems/thor-troubleshooting

nextronsystems/thor-plugins

tools

VerifiedTrustedCommunity

Write, package, and use THOR plugins to extend scanner functionality. THOR v11+ only.

9SKILL.mdUpdated Apr 8, 2026

nextronsystems/thor-plugins

nextronsystems/thor-maintenance

development

VerifiedTrustedCommunity

--- name: thor-maintenance description: Maintain THOR installs using thor-util: update signatures, upgrade versions, download offline packs, generate reports, manage YARA-Forge. Use when the user asks about updating/upgrading/report generation. --- # THOR Maintenance Skill Rules - Be precise about thor-util verbs: - update = signatures - upgrade = program + signatures, keep config - download = full pack incl config (offline use case) - Prefer stable signatures; mention sigdev only for urg

9SKILL.mdUpdated Apr 8, 2026

nextronsystems/thor-maintenance

nextronsystems/thor-log-analysis

data-ai

VerifiedTrustedCommunity

Interpret THOR scan results and explain what findings mean. Use when the user pastes THOR log lines, shares a log file, or asks how to triage Notices/Warnings/Alerts.

9SKILL.mdUpdated Apr 8, 2026

nextronsystems/thor-log-analysis

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/nextronsystems/thor-skill.git

# Copy into Claude Code skills folder (global)
cp -r thor-skill/thor-scan ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

nextronsystems/thor-skill

9 stars

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT