# Modules All `ax scan` modules must be stored in [`~/.axiom/modules`](https://github.com/attacksurge/ax/tree/master/modules). To create custom modules, see [**Adding Simple Modules**](/fundamentals/scans/modules/adding-simple-modules.md) and [**Adding One-Shot Modules**](/fundamentals/scans/modules/adding-one-shot-modules.md). [Simple Modules](/fundamentals/scans/modules/adding-simple-modules.md) are bash commands defined within JSON files. `ax scan` can execute any bash command you supply in the module, including loops and sub-shells, as long as it's valid JSON. [One-Shot Modules](/fundamentals/scans/modules/adding-one-shot-modules.md) allow you to easily thread any binary or script. If the command in the module contains the string `_target_` or `_safe-target_`, `ax scan` automatically executes the module as a One-Shot Module (unless `--disable-oneshot` is used). `_target_` is replaced with the expanded target list that the current thread is running against. When creating custom modules, make sure to understand how [**Merging and** **Module Extensions**](/fundamentals/scans/modules/merging-and-module-extensions.md) work. These features tell `ax scan` how to download and merge scan results in various formats. When supplying extra command-line arguments to `ax scan` (also known as `extra_args`), these arguments are combined with the commands in the module. This effectively passes the extra arguments to the binary or script you are distributing at run-time. The final command is executed on all instances in parallel. To quickly familiarize yourself with the default modules included in Ax, simply run `ax scan --list`.

modules with long commands were truncated in the above screenshot for readability

Ax scan has some optional variable replacements, simplifying the process of dynamically replacing some variables at runtime, such as wordlists, config files, and folder paths. ## Variable Replacements The following variables will be replaced in both Simple Modules and One-Shot Modules at runtime:

Variable	Replacement and Argument
`_wordlist_`	A wordlist on the remote instances (`-w`). A local wordlist to upload before the scan (`-wL`/`--local-wordlist`) A local wordlist to split and upload before the scan (`-wD`/`--distribute-wordlist`
`_config_`	A file on the remote instances (`--remote-config`) A local file to upload to all instances before the scan (`--local-config`)
`_folder_`	A folder on the remote instances (`--remote-folder`) A local folder to upload to all instances (`--nuclei-templates` or `--local-folder`)

The following variables will only be replaced in [One-Shot](/fundamentals/scans/modules/adding-one-shot-modules.md) modules at runtime:

Variable	Replacement
`_target_`	Replaced with the expanded target list that the current thread is running against
`_cleantarget_`	Replaced with target cleaned from http:// or https://
`_safe-target_`	Replaced with target automatically quoting for commands, stopping subcommands running

{% hint style="info" %} **Safe Target**: By default the string `_target_` in the module is automatically replaced with `_safe-target_`, unless the `ax scan` option `--unsafe` is used. {% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://ax.attacksurge.com/fundamentals/scans/modules.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.