智能合约入口点分析器 - 自动识别状态变更函数，提升安全审计效率

entry-point-analyzer by trailofbits/skills

1,100 周安装量

3,900 GitHub Stars

GitHub

安装命令

npx skills add https://github.com/trailofbits/skills --skill entry-point-analyzer

开发区块链安全

🇨🇳中文介绍

入口点分析器

系统性地识别智能合约代码库中所有状态变更入口点，以指导安全审计。

何时使用

在以下情况下使用此技能：

开始智能合约安全审计以绘制攻击面时
被要求查找入口点、外部函数或审计流程时
分析跨代码库的访问控制模式时
识别特权操作和角色限制函数时
构建对哪些函数可以修改合约状态的理解时

何时不使用

请勿将此技能用于：

漏洞检测（请使用 audit-context-building 或 domain-specific-audits）
编写漏洞利用证明（请使用 solidity-poc-builder）
代码质量或 Gas 优化分析
非智能合约代码库
分析只读函数（本技能会排除它们）

范围：仅限状态变更函数

本技能专门关注可以修改状态的函数。排除项：

语言	排除模式
Solidity	`view`、`pure` 函数
Vyper	`@view`、函数

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

Slither 集成（Solidity）

对于 Solidity 代码库，Slither 可以自动提取入口点。在手动分析之前：

1. 检查 Slither 是否可用

2. 如果检测到 Slither，运行入口点打印机

slither . --print entry-points

这将输出包含以下内容的所有状态变更入口点的表格：

合约名称
函数名称
可见性
应用的修饰符

3. 使用 Slither 输出作为基础

解析 Slither 输出表格以填充您的分析
与手动检查交叉引用以进行访问控制分类
Slither 可能会遗漏某些模式（回调、动态访问控制）——需辅以手动审查
如果 Slither 失败（编译错误、不支持的功能），则回退到手动分析

4. 当 Slither 不可用时

如果 which slither 没有返回任何内容，则使用特定语言的参考文件进行手动分析。

扩展名	语言	参考文件
`.sol`	Solidity	{baseDir}/references/solidity.md
`.vy`	Vyper	{baseDir}/references/vyper.md
`.rs` + 带有 `solana-program` 的 `Cargo.toml`	Solana (Rust)	{baseDir}/references/solana.md
`.move` + 带有 `edition` 的 `Move.toml`		{baseDir}/references/move-sui.md
`.move` + 带有 `Aptos` 的 `Move.toml`		{baseDir}/references/move-aptos.md
`.fc`、`.func`、`.tact`	TON (FunC/Tact)	{baseDir}/references/ton.md
`.rs` + 带有 `cosmwasm-std` 的 `Cargo.toml`	CosmWasm	{baseDir}/references/cosmwasm.md

在分析之前，根据检测到的语言加载相应的参考文件。

将每个状态变更入口点分类为以下类别之一：

1. 公开（无限制）

任何人都可以调用且没有限制的函数。

仅限于特定角色的函数。需要检测的常见模式：

明确的角色名称：admin、owner、governance、guardian、operator、manager、minter、pauser、keeper、relayer、lender、borrower
角色检查模式：onlyRole、hasRole、require(msg.sender == X)、assert_owner、#[access_control]
当角色不明确时，标记为 "限制（需要审查）" 并注明限制模式

3. 仅限合约（内部集成点）

只能由其他合约调用，不能由外部账户（EOA）调用的函数。指示器：

回调：onERC721Received、uniswapV3SwapCallback、flashLoanCallback
带有合约调用者检查的接口实现
如果 tx.origin == msg.sender 则回退的函数
跨合约钩子

生成具有以下结构的 Markdown 报告：

# 入口点分析：[项目名称]

**分析时间**：[时间戳]
**范围**：[分析的目录或"完整代码库"]
**语言**：[检测到的语言]
**焦点**：仅限状态变更函数（排除 view/pure）

## 摘要

| 类别 | 数量 |
|----------|-------|
| 公开（无限制） | X |
| 角色限制 | X |
| 限制（需要审查） | X |
| 仅限合约 | X |
| **总计** | **X** |

---

## 公开入口点（无限制）

任何人都可以调用的状态变更函数——优先进行攻击面分析。

| 函数 | 文件 | 备注 |
|----------|------|-------|
| `functionName(params)` | `path/to/file.sol:L42` | 相关简要说明 |

---

## 角色限制入口点

### 管理员 / 所有者
| 函数 | 文件 | 限制 |
|----------|------|-------------|
| `setFee(uint256)` | `Config.sol:L15` | `onlyOwner` |

### 治理
| 函数 | 文件 | 限制 |
|----------|------|-------------|

### 守护者 / 暂停者
| 函数 | 文件 | 限制 |
|----------|------|-------------|

### 其他角色
| 函数 | 文件 | 限制 | 角色 |
|----------|------|-------------|------|

---

## 限制（需要审查）

具有需要手动验证的访问控制模式的函数。

| 函数 | 文件 | 模式 | 审查原因 |
|----------|------|---------|------------|
| `execute(bytes)` | `Executor.sol:L88` | `require(trusted[msg.sender])` | 动态信任列表 |

---

## 仅限合约（内部集成点）

只能由其他合约调用的函数——有助于理解信任边界。

| 函数 | 文件 | 预期调用者 |
|----------|------|-----------------|
| `onFlashLoan(...)` | `Vault.sol:L200` | 闪电贷提供者 |

---

## 已分析文件

- `path/to/file1.sol` (X 个状态变更入口点)
- `path/to/file2.sol` (X 个状态变更入口点)

当用户指定目录过滤器时：

仅分析该路径内的文件
在报告标题中注明过滤器
示例："仅分析 src/core/" → 范围 = src/core/

要彻底：不要跳过文件。每个外部可调用的状态变更函数都很重要。
要保守：当不确定访问级别时，标记为需要审查，而不是错误分类。
跳过只读函数：排除 view、pure 及等效的只读函数。
注意继承：如果函数的访问控制来自父合约，请注明。
跟踪修饰符：列出应用于每个函数的所有与访问相关的修饰符/装饰器。
识别模式：寻找常见模式，例如：
- 初始化函数（通常在第一次调用时不受限制）
- 升级函数（高权限）
- 紧急/暂停函数（守护者级别）
- 费用/参数设置函数（管理员级别）
- 代币转移和批准（通常是公开的）

按协议类型划分的常见角色模式

协议类型	常见角色
DEX	`owner`、`feeManager`、`pairCreator`
借贷	`admin`、`guardian`、`liquidator`、`oracle`
治理	`proposer`、`executor`、`canceller`、`timelock`
NFT	`minter`、`admin`、`royaltyReceiver`
桥接	`relayer`、`guardian`、`validator`、`operator`
金库/收益	`strategist`、`keeper`、`harvester`、`manager`

应拒绝的简化理由

分析入口点时，拒绝以下简化理由：

"这个函数看起来很标准" → 仍然要分类它；标准函数可能具有非标准的访问控制
"修饰符名称很明确" → 验证修饰符的实际实现
"这显然是仅限管理员的" → 追踪实际的限制；"显然"的假设会遗漏细微的绕过方式
"我会跳过回调" → 回调定义了信任边界；始终包含它们
"它没有修改太多状态" → 任何状态更改都可能被利用；包含所有非 view 函数

如果文件无法解析：

在报告的"分析警告"下注明
继续处理剩余文件
建议对无法解析的文件进行手动审查

🇺🇸English

Entry Point Analyzer

Systematically identify all state-changing entry points in a smart contract codebase to guide security audits.

When to Use

Use this skill when:

Starting a smart contract security audit to map the attack surface
Asked to find entry points, external functions, or audit flows
Analyzing access control patterns across a codebase
Identifying privileged operations and role-restricted functions
Building an understanding of which functions can modify contract state

When NOT to Use

Do NOT use this skill for:

Vulnerability detection (use audit-context-building or domain-specific-audits)
Writing exploit POCs (use solidity-poc-builder)
Code quality or gas optimization analysis
Non-smart-contract codebases
Analyzing read-only functions (this skill excludes them)

Scope: State-Changing Functions Only

This skill focuses exclusively on functions that can modify state. Excluded:

Language	Excluded Patterns
Solidity	`view`, `pure` functions
Vyper	`@view`, `@pure` functions
Solana	Functions without `mut` account references
Move	Non-entry `public fun` (module-callable only)
TON	`get` methods (FunC), read-only receivers (Tact)
CosmWasm	`query` entry point and its handlers

Why exclude read-only functions? They cannot directly cause loss of funds or state corruption. While they may leak information, the primary audit focus is on functions that can change state.

Workflow

Detect Language - Identify contract language(s) from file extensions and syntax
Use Tooling (if available) - For Solidity, check if Slither is available and use it
Locate Contracts - Find all contract/module files (apply directory filter if specified)
Extract Entry Points - Parse each file for externally callable, state-changing functions
Classify Access - Categorize each function by access level
Generate Report - Output structured markdown report

Slither Integration (Solidity)

For Solidity codebases, Slither can automatically extract entry points. Before manual analysis:

1. Check if Slither is Available

which slither

2. If Slither is Detected, Run Entry Points Printer

slither . --print entry-points

This outputs a table of all state-changing entry points with:

Contract name
Function name
Visibility
Modifiers applied

3. Use Slither Output as Foundation

Parse the Slither output table to populate your analysis
Cross-reference with manual inspection for access control classification
Slither may miss some patterns (callbacks, dynamic access control)—supplement with manual review
If Slither fails (compilation errors, unsupported features), fall back to manual analysis

4. When Slither is NOT Available

If which slither returns nothing, proceed with manual analysis using the language-specific reference files.

Language Detection

Extension	Language	Reference
`.sol`	Solidity	{baseDir}/references/solidity.md
`.vy`	Vyper	{baseDir}/references/vyper.md
`.rs` + `Cargo.toml` with `solana-program`	Solana (Rust)	{baseDir}/references/solana.md

Load the appropriate reference file(s) based on detected language before analysis.

Access Classification

Classify each state-changing entry point into one of these categories:

1. Public (Unrestricted)

Functions callable by anyone without restrictions.

2. Role-Restricted

Functions limited to specific roles. Common patterns to detect:

Explicit role names: admin, owner, governance, guardian, operator, manager, minter, pauser, keeper, relayer, lender, borrower

3. Contract-Only (Internal Integration Points)

Functions callable only by other contracts, not by EOAs. Indicators:

Callbacks: onERC721Received, uniswapV3SwapCallback, flashLoanCallback
Interface implementations with contract-caller checks
Functions that revert if tx.origin == msg.sender
Cross-contract hooks

Output Format

Generate a markdown report with this structure:

# Entry Point Analysis: [Project Name]

**Analyzed**: [timestamp]
**Scope**: [directories analyzed or "full codebase"]
**Languages**: [detected languages]
**Focus**: State-changing functions only (view/pure excluded)

## Summary

| Category | Count |
|----------|-------|
| Public (Unrestricted) | X |
| Role-Restricted | X |
| Restricted (Review Required) | X |
| Contract-Only | X |
| **Total** | **X** |

---

## Public Entry Points (Unrestricted)

State-changing functions callable by anyone—prioritize for attack surface analysis.

| Function | File | Notes |
|----------|------|-------|
| `functionName(params)` | `path/to/file.sol:L42` | Brief note if relevant |

---

## Role-Restricted Entry Points

### Admin / Owner
| Function | File | Restriction |
|----------|------|-------------|
| `setFee(uint256)` | `Config.sol:L15` | `onlyOwner` |

### Governance
| Function | File | Restriction |
|----------|------|-------------|

### Guardian / Pauser
| Function | File | Restriction |
|----------|------|-------------|

### Other Roles
| Function | File | Restriction | Role |
|----------|------|-------------|------|

---

## Restricted (Review Required)

Functions with access control patterns that need manual verification.

| Function | File | Pattern | Why Review |
|----------|------|---------|------------|
| `execute(bytes)` | `Executor.sol:L88` | `require(trusted[msg.sender])` | Dynamic trust list |

---

## Contract-Only (Internal Integration Points)

Functions only callable by other contracts—useful for understanding trust boundaries.

| Function | File | Expected Caller |
|----------|------|-----------------|
| `onFlashLoan(...)` | `Vault.sol:L200` | Flash loan provider |

---

## Files Analyzed

- `path/to/file1.sol` (X state-changing entry points)
- `path/to/file2.sol` (X state-changing entry points)

Filtering

When user specifies a directory filter:

Only analyze files within that path
Note the filter in the report header
Example: "Analyze only src/core/" → scope = src/core/

Analysis Guidelines

Be thorough : Don't skip files. Every state-changing externally callable function matters.
Be conservative : When uncertain about access level, flag for review rather than miscategorize.
Skip read-only : Exclude view, pure, and equivalent read-only functions.
Note inheritance : If a function's access control comes from a parent contract, note this.
Track modifiers : List all access-related modifiers/decorators applied to each function.
Identify patterns : Look for common patterns like:
- Initializer functions (often unrestricted on first call)
- Upgrade functions (high-privilege)
- Emergency/pause functions (guardian-level)
- Fee/parameter setters (admin-level)
- Token transfers and approvals (often public)

Common Role Patterns by Protocol Type

Protocol Type	Common Roles
DEX	`owner`, `feeManager`, `pairCreator`
Lending	`admin`, `guardian`, `liquidator`, `oracle`
Governance	`proposer`, `executor`, ,

Rationalizations to Reject

When analyzing entry points, reject these shortcuts:

"This function looks standard" → Still classify it; standard functions can have non-standard access control
"The modifier name is clear" → Verify the modifier's actual implementation
"This is obviously admin-only" → Trace the actual restriction; "obvious" assumptions miss subtle bypasses
"I'll skip the callbacks" → Callbacks define trust boundaries; always include them
"It doesn't modify much state" → Any state change can be exploited; include all non-view functions

Error Handling

If a file cannot be parsed:

Note it in the report under "Analysis Warnings"
Continue with remaining files
Suggest manual review for unparsable files

Weekly Installs

1.1K

Repository

trailofbits/skills

GitHub Stars

3.9K

First Seen

Jan 19, 2026

Security Audits

Gen Agent Trust HubPass SocketPass SnykPass

Installed on

claude-code988

opencode978

gemini-cli927

codex925

cursor896

github-copilot867

React 组合模式指南：Vercel 组件架构最佳实践，提升代码可维护性

102,200 周安装

Role-checking patterns: onlyRole, hasRole, require(msg.sender == X), assert_owner, #[access_control]

When role is ambiguous, flag as "Restricted (review required)" with the restriction pattern noted