entry-point-analyzer

Solid

Analyzes smart contract codebases to identify state-changing entry points for security auditing. Detects externally callable functions that modify state, categorizes them by access level (public, admin, role-restricted, contract-only), and generates structured audit reports. Excludes view/pure/read-only functions. Use when auditing smart contracts (Solidity, Vyper, Solana/Rust, Move, TON, CosmWasm) or when asked to find entry points, audit flows, external functions, access control patterns, or privileged operations.

Data & Documents 5,673 stars 496 forks Updated today CC-BY-SA-4.0

Install

View on GitHub

Quality Score: 93/100

Stars 20%

100

Recency 20%

100

Frontmatter 20%

Documentation 15%

100

Issue Health 10%

License 10%

100

Description 5%

100

Skill Content

# Entry Point Analyzer Systematically identify all **state-changing** entry points in a smart contract codebase to guide security audits. ## When to Use Use this skill when: - Starting a smart contract security audit to map the attack surface - Asked to find entry points, external functions, or audit flows - Analyzing access control patterns across a codebase - Identifying privileged operations and role-restricted functions - Building an understanding of which functions can modify contract state ## When NOT to Use Do NOT use this skill for: - Vulnerability detection (use audit-context-building or domain-specific-audits) - Writing exploit POCs (use solidity-poc-builder) - Code quality or gas optimization analysis - Non-smart-contract codebases - Analyzing read-only functions (this skill excludes them) ## Scope: State-Changing Functions Only This skill focuses exclusively on functions that can modify state. **Excluded:** | Language | Excluded Patterns | |----------|-------------------| | Solidity | `view`, `pure` functions | | Vyper | `@view`, `@pure` functions | | Solana | Functions without `mut` account references | | Move | Non-entry `public fun` (module-callable only) | | TON | `get` methods (FunC), read-only receivers (Tact) | | CosmWasm | `query` entry point and its handlers | **Why exclude read-only functions?** They cannot directly cause loss of funds or state corruption. While they may leak information, the primary audit focus is on functions that can change s...

Details

Author: trailofbits
Repository: trailofbits/skills
Created: 4 months ago
Last Updated: today
Language: Python
License: CC-BY-SA-4.0

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Listed

entry-point-analyzer

1 Updated 1 weeks ago

kevinvwong

AI & Automation Listed

solidity-auditor

Solidity development standards and security auditing. TRIGGER when: working with .sol files, foundry.toml, hardhat.config.*, smart contract auditing, security review, or vulnerability analysis. Covers Foundry-first development patterns, vulnerability taxonomies, and audit methodology. DO NOT TRIGGER when: general Ethereum tooling/ecosystem questions (use ethskills skill), or Noir/ZK circuits (use noir skill).

1 Updated 1 weeks ago

DROOdotFOO

Data & Documents Listed

security-audit

Deep adversarial security audit engine for full-stack web applications. Use this skill when the user wants to audit a codebase for security vulnerabilities, broken access control, injection risks, authentication weaknesses, payment security, file upload exploits, IDOR, CSRF, SSRF, RLS bypass, business logic abuse, rate limiting gaps, or deployment security issues. Trigger whenever the user says "audit my security", "find vulnerabilities", "pen test my app", "is this secure", "check for IDOR", "harden my auth", "review my payment flow for exploits", "can someone bypass this", "what can an attacker do", or shares code and asks about security, exploits, or hardening. Also trigger proactively when reviewing any app that handles auth, payments, file uploads, admin routes, or user-generated content — even if the user doesn't use the word "security".

2 Updated 1 weeks ago

Heet-P