entry-point-analyzer

by trailofbits

entry-point-analyzer helps map state-changing entry points in smart contract codebases for security audit work. It identifies externally callable functions that modify state, groups them by access level, and excludes view, pure, and other read-only paths. Use this entry-point-analyzer guide when you need a focused call-surface inventory for Solidity, Vyper, Solana, Move, TON, or CosmWasm projects.

Stars5k

Favorites0

Comments0

AddedMay 4, 2026

CategorySecurity Audit

Install Command

npx skills add trailofbits/skills --skill entry-point-analyzer

Curation Score

This skill scores 77/100, which means it is a solid but not top-tier listing candidate. Directory users get a clearly scoped, triggerable workflow for identifying state-changing smart-contract entry points across several major languages, with enough rules and examples to reduce guesswork compared with a generic prompt.

77/100

Strengths

Explicit trigger conditions for audits, entry points, access control patterns, and privileged operations.
Strong operational clarity: excludes read-only functions and provides language-specific detection rules and examples.
Good agent leverage from structured references for Solidity, Vyper, Solana, Move, TON, and CosmWasm.

Cautions

No install command or helper scripts, so adoption depends on reading the SKILL.md and references directly.
Scope is intentionally narrow: it helps map entry points, not broader vulnerability detection or exploit generation.

Solidity Rust Move Cosmwasm Ton Vyper

Overview

Overview of entry-point-analyzer skill

The entry-point-analyzer skill helps you map the state-changing attack surface of a smart contract codebase before you start a deeper security review. It is built for audits where the first question is not “is there a bug?” but “which externally reachable functions can change state, and who can call them?”

What entry-point-analyzer is for

Use the entry-point-analyzer skill when you need a practical entry-point inventory for Solidity, Vyper, Solana, Move, TON, or CosmWasm projects. It is especially useful for a entry-point-analyzer for Security Audit workflow: access control review, privileged operation discovery, and audit scoping.

What it filters out

This skill deliberately excludes read-only code paths, pure helpers, and internal-only functions. That makes it more decision-useful than a generic prompt when you want a security-oriented call surface, not a full code walkthrough.

Who benefits most

Best fit: security auditors, protocol engineers, and agents that need to identify public or privileged mutation paths quickly. If your goal is exploit research, gas profiling, or general code quality, this is the wrong tool.

How to Use entry-point-analyzer skill

Install and locate the skill

Use the entry-point-analyzer install flow from the trailofbits/skills plugin repository:

npx skills add trailofbits/skills --skill entry-point-analyzer

Then read the skill entry file first. For this repo, the most useful path is plugins/entry-point-analyzer/skills/entry-point-analyzer/SKILL.md.

Build a strong input prompt

The entry-point-analyzer usage pattern works best when you give it the repository, language, and review goal up front. A strong prompt looks like:

“Analyze this Solidity protocol and list every state-changing external/public entry point, grouped by access control and deployment-time behavior. Exclude view and pure functions. Highlight admin-only, role-gated, fallback, and constructor paths.”

If the codebase mixes languages, say so explicitly. If you only want one module, contract, or package, name it.

Read the support files first

For real output quality, do not stop at SKILL.md. In this skill, the supporting references often clarify language-specific entry-point rules:

references/solidity.md
references/vyper.md
references/solana.md
references/move-aptos.md
references/move-sui.md
references/ton.md
references/cosmwasm.md

These files are where you verify edge cases like fallback handlers, transaction-only functions, message receivers, and access-control patterns.

Workflow that produces useful results

Start by asking for a codebase-wide entry-point map, then follow up with a narrowed pass on the highest-risk entries. For example, after the first inventory, ask for only admin-gated functions, only upgrade or migration paths, or only functions that touch ownership and authorization state. That sequence makes the skill more useful than a one-shot summary.

entry-point-analyzer skill FAQ

Is entry-point-analyzer only for smart contracts?

Yes. The skill is designed for smart contract codebases and chain-specific entry-point conventions. It is not meant for standard backend, frontend, or general-purpose application code.

How is this different from a normal prompt?

A normal prompt often misses language-specific entry-point rules, especially across Solidity, Move, TON, and CosmWasm. The entry-point-analyzer skill gives you a narrower target: state-changing external surfaces only, with exclusion rules that reduce noise.

Is entry-point-analyzer beginner friendly?

Yes, if your goal is to understand the external mutation surface of a contract. It is less friendly if you expect it to find vulnerabilities by itself, because the skill is for scoping and classification rather than exploit detection.

When should I not use it?

Do not use entry-point-analyzer when you need read-only analysis, generic code review, or exploit development. It is also a poor fit if the codebase is not a smart contract system or if you need every function, including internal helpers.

How to Improve entry-point-analyzer skill

Give the analyzer the right boundary

The best entry-point-analyzer usage starts with a clear target scope: one repo, one protocol, or one deployment package. If you include unrelated packages, the result will be noisier and harder to trust.

Specify the access-control question you care about

Users usually want one of three things: “what can anyone call?”, “what is admin-only?”, or “what changes state during deployment or migration?” Ask for that explicitly. The skill is strongest when the output is grouped by callability and privilege, not just listed by file.

Provide language-specific context when it matters

For multi-language repos, tell the skill which framework conventions to prioritize. For example, mention Anchor for Solana, entry_point patterns for CosmWasm, or receive handlers for TON. That reduces false negatives on framework-specific entry paths.

Iterate from inventory to review

First ask for the complete entry-point map. Then ask for the top 5 riskiest functions, the authorization checks they rely on, and any state-changing paths that look unusual or underprotected. This two-step approach gives better results than asking for a full security audit in one pass, because the skill’s output is easiest to validate when it starts from a clean surface map.

Ratings & Reviews

No ratings yet

Share your review

0/10000

Latest reviews

Saving...

more skill

solana-vulnerability-scanner

by trailofbits

solana-vulnerability-scanner is a focused Solana security audit skill for native Rust and Anchor programs. It helps review CPI logic, PDA validation, signer and ownership checks, and sysvar spoofing to catch six critical Solana-specific vulnerabilities before deployment.

Security Audit

Favorites 0GitHub 4.9k

sharp-edges

by trailofbits

The sharp-edges skill helps you find APIs, configs, and interfaces where the easy path leads to insecure use. Use it to review authentication flows, cryptographic wrappers, dangerous defaults, null or zero semantics, and misuse-prone design choices. It is a strong fit for sharp-edges for Security Audit work when you need concrete footguns, not generic security guesses.

Security Audit

Favorites 0GitHub 5k

security-review

by affaan-m

Use the security-review skill to review auth, user input, secrets, APIs, payments, uploads, and other sensitive flows. It provides a practical security-review guide with clear pass/fail checks, risky-pattern examples, and a focused process for catching common issues before release.

Security Audit

Favorites 0GitHub 156.3k

django-security

by affaan-m

django-security is a practical guide for hardening Django apps with authentication, authorization, CSRF, XSS, SQL injection prevention, secure cookies, and production settings. It helps developers and reviewers run a focused Security Audit, quickly spot risky config, and apply concrete fixes before deployment.

Security Audit

Favorites 0GitHub 156.1k

ossfuzz

by trailofbits

Learn the ossfuzz skill for continuous fuzzing setup, project enrollment, harness planning, and build workflow review. This guide helps security engineers and maintainers assess readiness, spot build blockers, and prepare a practical path from source tree to OSS-Fuzz or private fuzzing infrastructure.

Security Audit

Favorites 0GitHub 5k

codeql

by trailofbits

The codeql skill helps you run CodeQL with fewer blind spots during a security audit. It focuses on database quality, suite selection, data extensions, and SARIF review so you can use codeql usage more reliably across supported languages. Use it for repeatable codeql guide steps when analyzing real repositories.

Security Audit

Favorites 0GitHub 5k

semgrep-rule-creator

by trailofbits

semgrep-rule-creator creates production-quality Semgrep rules for security vulnerabilities, bug patterns, taint-flow detections, and coding standards. Use the semgrep-rule-creator skill for Security Audit work when you need precise rules, test cases, and validation instead of a generic draft.

Security Audit

Favorites 0GitHub 5k

insecure-defaults

by trailofbits

The insecure-defaults skill helps spot fail-open configuration patterns that let software run with unsafe settings instead of stopping. Use it for a Security Audit of production code, deployment configs, and secret-handling logic to catch weak auth, hardcoded secrets, and permissive defaults.

Security Audit

Favorites 0GitHub 5k

constant-time-analysis

by trailofbits

constant-time-analysis is a security-audit skill for finding timing side-channel risks in cryptographic code before they become exploitable bugs. Use it to review secret-dependent math, branches, comparisons, and compiled output when checking C, C++, Go, Rust, Swift, Java, Kotlin, PHP, JavaScript, TypeScript, Python, or Ruby.

Security Audit

Favorites 0GitHub 5k

secure-workflow-guide

by trailofbits

secure-workflow-guide guides a 5-step Solidity security workflow: Slither triage, feature-specific checks, visual inspection, security-property notes, and manual review. It is built for smart contract teams, auditors, and builders who want a repeatable secure-workflow-guide guide before deployment or release.

Security Audit

Favorites 0GitHub 4.9k

algorand-vulnerability-scanner

by trailofbits

algorand-vulnerability-scanner is a security-audit skill for Algorand TEAL and PyTeal. It helps find 11 common issues, including rekeying attacks, fee validation gaps, field checks, and access control flaws. Use the algorand-vulnerability-scanner skill for a practical first-pass review before a manual audit.

Security Audit

Favorites 0GitHub 4.9k

supabase-postgres-best-practices

by supabase

supabase-postgres-best-practices is a Supabase Postgres optimization skill for query tuning, indexing, schema design, RLS performance, locking, and connection management.

Database Engineering

Favorites 0GitHub 1.7k

entra-agent-id

by microsoft

entra-agent-id is a Microsoft Entra Agent ID preview skill for backend development teams building OAuth2-capable AI agent identities with Graph beta. It covers blueprint setup, blueprint principals, agent identities, permissions, sponsors, workload identity federation, and sidecar-based auth. Use it to understand entra-agent-id install, usage, and rollout constraints.

Backend Development

Favorites 0GitHub 0

token-integration-analyzer

by trailofbits

token-integration-analyzer is a security-review skill for token implementations and token integrations. It checks ERC20/ERC721 conformity, weird token patterns, owner privileges, scarcity, and non-standard token handling for Security Audit workflows. Use the token-integration-analyzer guide to reduce guesswork and assess compatibility risk.

Security Audit

Favorites 0GitHub 4.9k

cosmos-vulnerability-scanner

by trailofbits

cosmos-vulnerability-scanner finds consensus-critical bugs in Cosmos SDK modules, CosmWasm contracts, IBC integrations, and Cosmos EVM stacks. Use this cosmos-vulnerability-scanner guide for security audit workflows, chain-halt risks, fund-loss paths, and pre-launch reviews.

Security Audit

Favorites 0GitHub 4.9k

ruzzy

by trailofbits

ruzzy is a coverage-guided Ruby fuzzing skill for testing pure Ruby code and Ruby C extensions. Use the ruzzy guide to set up a supported Linux environment, verify sanitizer wiring, and build practical fuzzing workflows for Security Audit work.

Security Audit

Favorites 0GitHub 5k