Back to Security & Vulnerability Analysis
entry-point-analyzer
smart contractsblockchainsecurity auditsolidityvyperrustaccess controlentry points
Install this skill
npx skills add trailofbits/skillsWorks across Claude Code, Cursor, Codex, Copilot & Antigravity
The entry-point-analyzer skill focuses on identifying functions within smart contract codebases capable of altering contract storage. By systematically filtering out read-only methods—such as getters, views, and queries—this tool narrows the audit scope to operations that pose risks to fund security and state integrity. It categorizes these functions based on access requirements, distinguishing between unrestricted public entry points, role-restricted administrative functions, and internal callbacks triggered by other contracts. The output provides a clear map of the attack surface, allowing auditors to prioritize their manual review on high-privilege operations. Supporting multiple ecosystems like Solidity, Vyper, Solana, and Move, the analyzer integrates with existing development tooling to ensure that every potential state-modifying path is identified and documented for further security evaluation.
When to Use This Skill
- •Mapping the attack surface at the start of a security audit
- •Verifying that administrative functions are properly protected by role-checks
- •Creating a summary of all functions that can move funds or alter balances
- •Auditing callback handlers in DeFi protocols to prevent unauthorized execution
How to Invoke This Skill
Example prompts that trigger this skill in Claude Code, Cursor, or Antigravity:
- “Identify all state-changing functions in this contract
- “List the public entry points for the current codebase
- “What are the administrative functions that modify state?
- “Generate a report of all external functions that change contract storage
- “Show me the attack surface by listing all mutating entry points
Pro Tips
- 💡Combine with `audit-context-building` to enrich identified entry points with relevant vulnerability patterns and historical context.
- 💡After identifying entry points, use `solidity-test-generator` or similar to create targeted test cases specifically for state transitions and access control logic.
- 💡Run this skill against different versions of a contract to identify new, removed, or modified state-changing entry points during an upgrade or migration audit.
What this skill does
- •Filters out non-mutating functions to isolate state-changing entry points
- •Maps access controls including public, role-based, and contract-internal logic
- •Automates discovery using Slither printers where supported
- •Standardizes security reports across diverse languages like Solidity and Move
- •Identifies common callback patterns and cross-contract hooks
When not to use it
- ✕Performing automated vulnerability scanning or bug detection
- ✕Analyzing read-only interfaces or getters
- ✕Developing functional exploits or proof-of-concept scripts
Example workflow
- Detect the programming language and framework of the repository
- Execute Slither or manual parsing to list all contract functions
- Filter the results to include only state-modifying functions
- Group the functions by their access modifiers or role requirements
- Compile the findings into a structured markdown document for review
Prerequisites
- –Access to the source code repository
- –Development environment configured for the target language
- –Slither installed for Solidity projects
Pitfalls & limitations
- !Static analysis may miss state changes triggered by complex assembly blocks
- !Dynamic access control patterns might be misclassified without deeper context
- !Compilation errors can prevent Slither from identifying all entry points
FAQ
Why ignore read-only functions?
Read-only functions cannot directly alter contract state or cause loss of funds. Focusing on state-changing functions helps auditors prioritize the most critical attack vectors.
Does this skill work for non-Solidity projects?
Yes, it supports multiple languages including Vyper, Rust-based Solana programs, Move, and TON by using language-specific reference files for pattern matching.
What happens if Slither fails to run?
The tool falls back to manual inspection, relying on language-specific parsing rules to identify entry points based on visibility keywords and mutation indicators.
How it compares
Unlike a generic prompt that might return a list of all functions, this skill specifically filters for state-changing logic and forces categorization by access control to ensure a risk-focused audit output.
📄 Full skill instructions — original source: trailofbits/skills
# Entry Point Analyzer
Systematically identify all **state-changing** entry points in a smart contract codebase to guide security audits.
## When to Use
Use this skill when:
- Starting a smart contract security audit to map the attack surface
- Asked to find entry points, external functions, or audit flows
- Analyzing access control patterns across a codebase
- Identifying privileged operations and role-restricted functions
- Building an understanding of which functions can modify contract state
## When NOT to Use
Do NOT use this skill for:
- Vulnerability detection (use audit-context-building or domain-specific-audits)
- Writing exploit POCs (use solidity-poc-builder)
- Code quality or gas optimization analysis
- Non-smart-contract codebases
- Analyzing read-only functions (this skill excludes them)
## Scope: State-Changing Functions Only
This skill focuses exclusively on functions that can modify state. **Excluded:**
| Language | Excluded Patterns |
|----------|-------------------|
| Solidity |
| Vyper |
| Solana | Functions without
| Move | Non-entry
| TON |
| CosmWasm |
**Why exclude read-only functions?** They cannot directly cause loss of funds or state corruption. While they may leak information, the primary audit focus is on functions that can change state.
## Workflow
1. **Detect Language** - Identify contract language(s) from file extensions and syntax
2. **Use Tooling (if available)** - For Solidity, check if Slither is available and use it
3. **Locate Contracts** - Find all contract/module files (apply directory filter if specified)
4. **Extract Entry Points** - Parse each file for externally callable, state-changing functions
5. **Classify Access** - Categorize each function by access level
6. **Generate Report** - Output structured markdown report
## Slither Integration (Solidity)
For Solidity codebases, Slither can automatically extract entry points. Before manual analysis:
### 1. Check if Slither is Available
### 2. If Slither is Detected, Run Entry Points Printer
This outputs a table of all state-changing entry points with:
- Contract name
- Function name
- Visibility
- Modifiers applied
### 3. Use Slither Output as Foundation
- Parse the Slither output table to populate your analysis
- Cross-reference with manual inspection for access control classification
- Slither may miss some patterns (callbacks, dynamic access control)—supplement with manual review
- If Slither fails (compilation errors, unsupported features), fall back to manual analysis
### 4. When Slither is NOT Available
If
## Language Detection
| Extension | Language | Reference |
|-----------|----------|-----------|
|
|
|
|
|
|
Load the appropriate reference file(s) based on detected language before analysis.
## Access Classification
Classify each state-changing entry point into one of these categories:
### 1. Public (Unrestricted)
Functions callable by anyone without restrictions.
### 2. Role-Restricted
Functions limited to specific roles. Common patterns to detect:
- Explicit role names:
- Role-checking patterns:
- When role is ambiguous, flag as **"Restricted (review required)"** with the restriction pattern noted
### 3. Contract-Only (Internal Integration Points)
Functions callable only by other contracts, not by EOAs. Indicators:
- Callbacks:
- Interface implementations with contract-caller checks
- Functions that revert if
- Cross-contract hooks
## Output Format
Generate a markdown report with this structure:
## Filtering
When user specifies a directory filter:
- Only analyze files within that path
- Note the filter in the report header
- Example: "Analyze only
## Analysis Guidelines
1. **Be thorough**: Don't skip files. Every state-changing externally callable function matters.
2. **Be conservative**: When uncertain about access level, flag for review rather than miscategorize.
3. **Skip read-only**: Exclude
4. **Note inheritance**: If a function's access control comes from a parent contract, note this.
5. **Track modifiers**: List all access-related modifiers/decorators applied to each function.
6. **Identify patterns**: Look for common patterns like:
- Initializer functions (often unrestricted on first call)
- Upgrade functions (high-privilege)
- Emergency/pause functions (guardian-level)
- Fee/parameter setters (admin-level)
- Token transfers and approvals (often public)
## Common Role Patterns by Protocol Type
| Protocol Type | Common Roles |
|---------------|--------------|
| DEX |
| Lending |
| Governance |
| NFT |
| Bridge |
| Vault/Yield |
## Rationalizations to Reject
When analyzing entry points, reject these shortcuts:
- "This function looks standard" → Still classify it; standard functions can have non-standard access control
- "The modifier name is clear" → Verify the modifier's actual implementation
- "This is obviously admin-only" → Trace the actual restriction; "obvious" assumptions miss subtle bypasses
- "I'll skip the callbacks" → Callbacks define trust boundaries; always include them
- "It doesn't modify much state" → Any state change can be exploited; include all non-view functions
## Error Handling
If a file cannot be parsed:
1. Note it in the report under "Analysis Warnings"
2. Continue with remaining files
3. Suggest manual review for unparsable files
Systematically identify all **state-changing** entry points in a smart contract codebase to guide security audits.
## When to Use
Use this skill when:
- Starting a smart contract security audit to map the attack surface
- Asked to find entry points, external functions, or audit flows
- Analyzing access control patterns across a codebase
- Identifying privileged operations and role-restricted functions
- Building an understanding of which functions can modify contract state
## When NOT to Use
Do NOT use this skill for:
- Vulnerability detection (use audit-context-building or domain-specific-audits)
- Writing exploit POCs (use solidity-poc-builder)
- Code quality or gas optimization analysis
- Non-smart-contract codebases
- Analyzing read-only functions (this skill excludes them)
## Scope: State-Changing Functions Only
This skill focuses exclusively on functions that can modify state. **Excluded:**
| Language | Excluded Patterns |
|----------|-------------------|
| Solidity |
view, pure functions || Vyper |
@view, @pure functions || Solana | Functions without
mut account references || Move | Non-entry
public fun (module-callable only) || TON |
get methods (FunC), read-only receivers (Tact) || CosmWasm |
query entry point and its handlers |**Why exclude read-only functions?** They cannot directly cause loss of funds or state corruption. While they may leak information, the primary audit focus is on functions that can change state.
## Workflow
1. **Detect Language** - Identify contract language(s) from file extensions and syntax
2. **Use Tooling (if available)** - For Solidity, check if Slither is available and use it
3. **Locate Contracts** - Find all contract/module files (apply directory filter if specified)
4. **Extract Entry Points** - Parse each file for externally callable, state-changing functions
5. **Classify Access** - Categorize each function by access level
6. **Generate Report** - Output structured markdown report
## Slither Integration (Solidity)
For Solidity codebases, Slither can automatically extract entry points. Before manual analysis:
### 1. Check if Slither is Available
which slither### 2. If Slither is Detected, Run Entry Points Printer
slither . --print entry-pointsThis outputs a table of all state-changing entry points with:
- Contract name
- Function name
- Visibility
- Modifiers applied
### 3. Use Slither Output as Foundation
- Parse the Slither output table to populate your analysis
- Cross-reference with manual inspection for access control classification
- Slither may miss some patterns (callbacks, dynamic access control)—supplement with manual review
- If Slither fails (compilation errors, unsupported features), fall back to manual analysis
### 4. When Slither is NOT Available
If
which slither returns nothing, proceed with manual analysis using the language-specific reference files.## Language Detection
| Extension | Language | Reference |
|-----------|----------|-----------|
|
.sol | Solidity | [{baseDir}/references/solidity.md]({baseDir}/references/solidity.md) ||
.vy | Vyper | [{baseDir}/references/vyper.md]({baseDir}/references/vyper.md) ||
.rs + Cargo.toml with solana-program | Solana (Rust) | [{baseDir}/references/solana.md]({baseDir}/references/solana.md) ||
.move | Move (Aptos/Sui) | [{baseDir}/references/move.md]({baseDir}/references/move.md) ||
.fc, .func, .tact | TON (FunC/Tact) | [{baseDir}/references/ton.md]({baseDir}/references/ton.md) ||
.rs + Cargo.toml with cosmwasm-std | CosmWasm | [{baseDir}/references/cosmwasm.md]({baseDir}/references/cosmwasm.md) |Load the appropriate reference file(s) based on detected language before analysis.
## Access Classification
Classify each state-changing entry point into one of these categories:
### 1. Public (Unrestricted)
Functions callable by anyone without restrictions.
### 2. Role-Restricted
Functions limited to specific roles. Common patterns to detect:
- Explicit role names:
admin, owner, governance, guardian, operator, manager, minter, pauser, keeper, relayer, lender, borrower- Role-checking patterns:
onlyRole, hasRole, require(msg.sender == X), assert_owner, #[access_control]- When role is ambiguous, flag as **"Restricted (review required)"** with the restriction pattern noted
### 3. Contract-Only (Internal Integration Points)
Functions callable only by other contracts, not by EOAs. Indicators:
- Callbacks:
onERC721Received, uniswapV3SwapCallback, flashLoanCallback- Interface implementations with contract-caller checks
- Functions that revert if
tx.origin == msg.sender- Cross-contract hooks
## Output Format
Generate a markdown report with this structure:
# Entry Point Analysis: [Project Name]
**Analyzed**: [timestamp]
**Scope**: [directories analyzed or "full codebase"]
**Languages**: [detected languages]
**Focus**: State-changing functions only (view/pure excluded)
## Summary
| Category | Count |
|----------|-------|
| Public (Unrestricted) | X |
| Role-Restricted | X |
| Restricted (Review Required) | X |
| Contract-Only | X |
| **Total** | **X** |
---
## Public Entry Points (Unrestricted)
State-changing functions callable by anyone—prioritize for attack surface analysis.
| Function | File | Notes |
|----------|------|-------|
| functionName(params) | path/to/file.sol:L42 | Brief note if relevant |
---
## Role-Restricted Entry Points
### Admin / Owner
| Function | File | Restriction |
|----------|------|-------------|
| setFee(uint256) | Config.sol:L15 | onlyOwner |
### Governance
| Function | File | Restriction |
|----------|------|-------------|
### Guardian / Pauser
| Function | File | Restriction |
|----------|------|-------------|
### Other Roles
| Function | File | Restriction | Role |
|----------|------|-------------|------|
---
## Restricted (Review Required)
Functions with access control patterns that need manual verification.
| Function | File | Pattern | Why Review |
|----------|------|---------|------------|
| execute(bytes) | Executor.sol:L88 | require(trusted[msg.sender]) | Dynamic trust list |
---
## Contract-Only (Internal Integration Points)
Functions only callable by other contracts—useful for understanding trust boundaries.
| Function | File | Expected Caller |
|----------|------|-----------------|
| onFlashLoan(...) | Vault.sol:L200 | Flash loan provider |
---
## Files Analyzed
- path/to/file1.sol (X state-changing entry points)
- path/to/file2.sol (X state-changing entry points)## Filtering
When user specifies a directory filter:
- Only analyze files within that path
- Note the filter in the report header
- Example: "Analyze only
src/core/" → scope = src/core/## Analysis Guidelines
1. **Be thorough**: Don't skip files. Every state-changing externally callable function matters.
2. **Be conservative**: When uncertain about access level, flag for review rather than miscategorize.
3. **Skip read-only**: Exclude
view, pure, and equivalent read-only functions.4. **Note inheritance**: If a function's access control comes from a parent contract, note this.
5. **Track modifiers**: List all access-related modifiers/decorators applied to each function.
6. **Identify patterns**: Look for common patterns like:
- Initializer functions (often unrestricted on first call)
- Upgrade functions (high-privilege)
- Emergency/pause functions (guardian-level)
- Fee/parameter setters (admin-level)
- Token transfers and approvals (often public)
## Common Role Patterns by Protocol Type
| Protocol Type | Common Roles |
|---------------|--------------|
| DEX |
owner, feeManager, pairCreator || Lending |
admin, guardian, liquidator, oracle || Governance |
proposer, executor, canceller, timelock || NFT |
minter, admin, royaltyReceiver || Bridge |
relayer, guardian, validator, operator || Vault/Yield |
strategist, keeper, harvester, manager |## Rationalizations to Reject
When analyzing entry points, reject these shortcuts:
- "This function looks standard" → Still classify it; standard functions can have non-standard access control
- "The modifier name is clear" → Verify the modifier's actual implementation
- "This is obviously admin-only" → Trace the actual restriction; "obvious" assumptions miss subtle bypasses
- "I'll skip the callbacks" → Callbacks define trust boundaries; always include them
- "It doesn't modify much state" → Any state change can be exploited; include all non-view functions
## Error Handling
If a file cannot be parsed:
1. Note it in the report under "Analysis Warnings"
2. Continue with remaining files
3. Suggest manual review for unparsable files
How to Use This Skill Unit
Option A: Project-Specific (Recommended)
- Click "Download" above
- In your project, create the directory:
.agent/skills/entry-point-analyzer/ - Save the file as
SKILL.md - The agent will automatically discover the skill based on its description.
Option B: Global Installation (All Agents)
Save the file to these locations to make it available across all projects:
- Claude Code:
~/.claude/skills/trailofbits/skills/entry-point-analyzer/SKILL.md - Cursor:
~/.cursor/skills/trailofbits/skills/entry-point-analyzer/SKILL.md - Antigravity:
~/.gemini/antigravity/skills/trailofbits/skills/entry-point-analyzer/SKILL.md
🚀 Install with CLI:npx skills add trailofbits/skills
Recommended Rules
View more rules →Rust Fundamentals & Ownership
RustOwnershipBorrowing
You are an expert in Rust programming, specializing in ownership, borrowing, and lifetimes. Key Principles: - Ownership is the central feature of Rus...
Rust Async Programming with Tokio
RustAsyncTokio
You are an expert in Rust asynchronous programming using the Tokio runtime. Key Principles: - Async/await is syntactic sugar for Futures - Futures do...
Rust Web Development (Axum/Actix)
RustWeb DevelopmentAxum
You are an expert in Rust web development using Axum and Actix-web. Key Principles: - Use type-safe routing and handlers - Leverage the ecosystem (To...
Recommended Workflows
View more workflows →Check SSL Certificates
SecurityDevOpsSSL
--- description: Verify SSL certificate validity and expiration --- 1. **Check Expiry**: - Use openssl to check a domain. Replace `google.com` wit...
Setup Semantic Versioning
VersioningReleasesGit
--- description: Automate version bumps and changelog generation --- 1. **Install semantic-release**: - Automate versioning based on commit messag...
Implement Feature Flags
Feature FlagsDeploymentA/B Testing
--- description: Safely release features with toggles for gradual rollouts --- 1. **Simple Approach: Environment Variables**: - Use env vars for b...
