entry-point-analyzer
💡 Summary
Automates the identification of state-changing entry points in smart contracts for security audits.
🎯 Target Audience
🤖 AI Roast: “Powerful, but the setup might scare off the impatient.”
Risk: Medium. Review: filesystem read/write scope and path traversal. Run with least privilege and audit before enabling in production.
Entry Point Analyzer
A Claude skill for systematically identifying state-changing entry points in smart contract codebases to guide security audits.
Purpose
When auditing smart contracts, examining each file or function individually is inefficient. What auditors need is to start from entry points—the externally callable functions that represent the attack surface. This skill automates the identification and classification of state-changing entry points, excluding view/pure/read-only functions that cannot directly cause loss of funds or state corruption.
Supported Languages
| Language | File Extensions | Framework Support |
|----------|-----------------|-------------------|
| Solidity | .sol | OpenZeppelin, custom modifiers |
| Vyper | .vy | Native patterns |
| Solana | .rs | Anchor, Native |
| Move | .move | Aptos, Sui |
| TON | .fc, .func, .tact | FunC, Tact |
| CosmWasm | .rs | cw-ownable, cw-controllers |
Access Classifications
The skill categorizes entry points into four levels:
- Public (Unrestricted) — Callable by anyone; highest audit priority
- Role-Restricted — Limited to specific roles (admin, governance, guardian, etc.)
- Review Required — Ambiguous access patterns needing manual verification
- Contract-Only — Internal integration points (callbacks, hooks)
Output
Generates a structured markdown report with:
- Summary table of entry point counts by category
- Detailed tables for each access level
- Function signatures with file:line references
- Restriction patterns and role assignments
- List of analyzed files
Usage
Trigger the skill with requests like:
- "Analyze the entry points in this codebase"
- "Find all external functions and access levels"
- "List audit flows for src/core/"
- "What privileged operations exist in this project?"
Directory Filtering
Specify a subdirectory to limit scope:
- "Analyze only
src/core/" - "Find entry points in
contracts/protocol/"
Role Detection
The skill infers roles from common patterns:
| Pattern | Detected Role |
|---------|---------------|
| onlyOwner, msg.sender == owner | Owner |
| onlyAdmin, ADMIN_ROLE | Admin |
| onlyGovernance, governance | Governance |
| onlyGuardian, onlyPauser | Guardian |
| onlyKeeper, onlyRelayer | Keeper/Relayer |
| onlyStrategy, strategist | Strategist |
| Dynamic checks (authorized[msg.sender]) | Review Required |
Installation
/plugin install trailofbits/skills/plugins/entry-point-analyzer
License
See LICENSE.txt for terms.
Pros
- Streamlines the auditing process.
- Categorizes entry points for better focus.
- Supports multiple blockchain languages.
- Generates detailed reports.
Cons
- May require manual verification for ambiguous patterns.
- Limited to specific blockchain languages.
- Dependency on accurate role detection.
- Initial setup may be complex.
Related Skills
building-secure-contracts
A“Powerful, but the setup might scare off the impatient.”
spec-to-code-compliance
A“Powerful, but the setup might scare off the impatient.”
pytorch
S“It's the Swiss Army knife of deep learning, but good luck figuring out which of the 47 installation methods is the one that won't break your system.”
Disclaimer: This content is sourced from GitHub open source projects for display and rating purposes only.
Copyright belongs to the original author trailofbits.