安全分析
- 作者仓库星标 5,723
- 叉子 499
- 作者更新于 2026年6月15日 16:05
- 作者仓库 skills
- 领域
- 安全
- 兼容 Agent
-
- Claude Code
- Cursor
- Cline
- Codex
- Windsurf
- Gemini CLI
- +20
- 信任分
- 88 / 100 · 社区维护
- 作者 / 版本 / 许可
- @trailofbits · 未声明 license
- Token 消耗评级
- 低消耗
- 接入复杂程度
- 需简单配置
- 是否需要外部 API Key
- 不需要
- 兼容的系统
- 未声明(默认跨平台)
- 底层运行要求
- 无特殊要求
- 文件与系统权限
-
- 只读
- 允许写入 / 修改
- Shell 执行
- 网络行为
- 仅限本地
- 安装命令数
- 26 条
档案由构建时根据 SKILL.md 与安装命令自动衍生,可能与作者实际意图存在差异。
需要注意: 未限定 allowed-tools,默认拥有全部工具权限。
---
name: entry-point-analyzer
description: Analyzes smart contract codebases to identify state-changing entry points for security auditing.…
category: 安全
runtime: 无特殊运行时
---
# entry-point-analyzer 输出预览
## PART A: 任务判断
- 适用问题:安全审计、密钥扫描、权限检查或风险分析。
- 输入要求:目标材料、限制条件、期望输出和验收方式。
- 证据边界:围绕“When to Use / When NOT to Use / Scope: State-Changing Functions Only”读取原文规则,不把推断写成作者承诺。
## PART B: 执行结果
- **01** 任务判断:确认你的需求是否属于安全审计、密钥扫描、权限检查或风险分析,并标出输入、限制和预期结果。
- **02** 执行计划:优先按“When to Use / When NOT to Use / Scope: State-Changing Functions Only”拆成步骤,说明每一步会读取什么、修改什么、产出什么。
- **03** 交付结果:给出可复制的命令、文件改动、检查清单或内容草稿,并说明如何继续迭代。
- **04** 风险边界:结合 读取文件、写入/修改文件、执行终端命令、主要在本地完成、通常不需要额外 API Key 给出执行前确认项。
## Running Rules
- 读取文件、写入/修改文件、执行终端命令;主要在本地完成;通常不需要额外 API Key。
- 先小样例验证,再放大到真实任务。
- 交付时同时给结果、检查口径和下一步迭代建议。 原文没有稳定的斜杠命令要求。安装验证后通常全局生效,直接在对话里点名这个 Skill 并描述任务即可。
告诉 Agent 目标文件或材料、期望结果、不可改范围、是否允许联网或执行命令。本 Skill 的权限画像是:读取文件、写入/修改文件、执行终端命令。
先用一个小任务确认它会围绕“When to Use / When NOT to Use / Scope: State-Changing Functions Only”工作;涉及文件或命令时,先看 diff、日志、预览或测试结果。
检查最终产物是否包含明确结果、必要证据和下一步动作;如果输出泛泛而谈,就补充输入、边界和验收标准后重跑。
---
name: entry-point-analyzer
description: Analyzes smart contract codebases to identify state-changing entry points for security auditing.…
category: 安全
source: trailofbits/skills
---
# entry-point-analyzer
## 什么时候使用
- entry-point-analyzer 是安全方向的技能,由 Agent 做扫描 / 风险检查 适合处理安全审计、密钥扫描、权限检查和风险分析,核心价值是把输入、判断、执行、验证和交付边界固定下来,避免 Agent 泛泛回答。 把任务…
- 面向安全审计、密钥扫描、权限检查或风险分析,优先处理能明确输入、步骤和验收标准的工作。
## 需要提供什么
- 目标材料、目录范围、期望结果和不可改动内容。
- 是否允许联网、执行命令、读写文件或调用外部服务。
## 执行规则
- 围绕「When to Use / When NOT to Use / Scope: State-Changing Functions Only」组织步骤,不把推断写成作者事实。
- 读取文件、写入/修改文件、执行终端命令;主要在本地完成;通常不需要额外 API Key。
- 先跑小样例,确认结果可检查后再扩大任务范围。
## 输出要求
- 给出最终产物、关键证据、验证方式和下一步动作。
- 信息不足时标记 unknown,不编造命令、平台或依赖。 作者原文负责流程事实;仓库文件负责来源和命令;流狐只补充适用场景、限制和质量判断。
skill "entry-point-analyzer" {
输入层 -> 用户目标 + 目标文件 + 禁止范围 + 验收标准
上下文层 -> When to Use / When NOT to Use / Scope: State-Changing Functions Only
规则层 -> SKILL.md 触发条件 / 执行顺序 / 输出格式
运行层 -> 无特殊运行时 | 读取文件、写入/修改文件、执行终端命令 | 主要在本地完成
安全层 -> 通常不需要额外 API Key + 小任务验证 + diff / 日志复核
输出层 -> 可复制结果 + 检查清单 + 下一步迭代
} Entry Point Analyzer
Systematically identify all state-changing entry points in a smart contract codebase to guide security audits.
When to Use
Use this skill when:
- Starting a smart contract security audit to map the attack surface
- Asked to find entry points, external functions, or audit flows
- Analyzing access control patterns across a codebase
- Identifying privileged operations and role-restricted functions
- Building an understanding of which functions can modify contract state
When NOT to Use
Do NOT use this skill for:
- Vulnerability detection (use audit-context-building or domain-specific-audits)
- Writing exploit POCs (use solidity-poc-builder)
- Code quality or gas optimization analysis
- Non-smart-contract codebases
- Analyzing read-only functions (this skill excludes them)
Scope: State-Changing Functions Only
This skill focuses exclusively on functions that can modify state. Excluded:
| Language | Excluded Patterns |
|---|---|
| Solidity | view, pure functions |
| Vyper | @view, @pure functions |
| Solana | Functions without mut account references |
| Move | Non-entry public fun (module-callable only) |
| TON | get methods (FunC), read-only receivers (Tact) |
| CosmWasm | query entry point and its handlers |
Why exclude read-only functions? They cannot directly cause loss of funds or state corruption. While they may leak information, the primary audit focus is on functions that can change state.
Workflow
- Detect Language - Identify contract language(s) from file extensions and syntax
- Use Tooling (if available) - For Solidity, check if Slither is available and use it
- Locate Contracts - Find all contract/module files (apply directory filter if specified)
- Extract Entry Points - Parse each file for externally callable, state-changing functions
- Classify Access - Categorize each function by access level
- Generate Report - Output structured markdown report
Slither Integration (Solidity)
For Solidity codebases, Slither can automatically extract entry points. Before manual analysis:
1. Check if Slither is Available
which slither
2. If Slither is Detected, Run Entry Points Printer
slither . --print entry-points
This outputs a table of all state-changing entry points with:
- Contract name
- Function name
- Visibility
- Modifiers applied
3. Use Slither Output as Foundation
- Parse the Slither output table to populate your analysis
- Cross-reference with manual inspection for access control classification
- Slither may miss some patterns (callbacks, dynamic access control)—supplement with manual review
- If Slither fails (compilation errors, unsupported features), fall back to manual analysis
4. When Slither is NOT Available
If which slither returns nothing, proceed with manual analysis using the language-specific reference files.
Language Detection
| Extension | Language | Reference |
|---|---|---|
.sol |
Solidity | {baseDir}/references/solidity.md |
.vy |
Vyper | {baseDir}/references/vyper.md |
.rs + Cargo.toml with solana-program |
Solana (Rust) | {baseDir}/references/solana.md |
.move + Move.toml with edition |
{baseDir}/references/move-sui.md | |
.move + Move.toml with Aptos |
{baseDir}/references/move-aptos.md | |
.fc, .func, .tact |
TON (FunC/Tact) | {baseDir}/references/ton.md |
.rs + Cargo.toml with cosmwasm-std |
CosmWasm | {baseDir}/references/cosmwasm.md |
Load the appropriate reference file(s) based on detected language before analysis.
Access Classification
Classify each state-changing entry point into one of these categories:
1. Public (Unrestricted)
Functions callable by anyone without restrictions.
2. Role-Restricted
Functions limited to specific roles. Common patterns to detect:
- Explicit role names:
admin,owner,governance,guardian,operator,manager,minter,pauser,keeper,relayer,lender,borrower - Role-checking patterns:
onlyRole,hasRole,require(msg.sender == X),assert_owner,#[access_control] - When role is ambiguous, flag as "Restricted (review required)" with the restriction pattern noted
3. Contract-Only (Internal Integration Points)
Functions callable only by other contracts, not by EOAs. Indicators:
- Callbacks:
onERC721Received,uniswapV3SwapCallback,flashLoanCallback - Interface implementations with contract-caller checks
- Functions that revert if
tx.origin == msg.sender - Cross-contract hooks
Output Format
Generate a markdown report with this structure:
# Entry Point Analysis: [Project Name]
**Analyzed**: [timestamp]
**Scope**: [directories analyzed or "full codebase"]
**Languages**: [detected languages]
**Focus**: State-changing functions only (view/pure excluded)
## Summary
| Category | Count |
|----------|-------|
| Public (Unrestricted) | X |
| Role-Restricted | X |
| Restricted (Review Required) | X |
| Contract-Only | X |
| **Total** | **X** |
---
## Public Entry Points (Unrestricted)
State-changing functions callable by anyone—prioritize for attack surface analysis.
| Function | File | Notes |
|----------|------|-------|
| `functionName(params)` | `path/to/file.sol:L42` | Brief note if relevant |
---
## Role-Restricted Entry Points
### Admin / Owner
| Function | File | Restriction |
|----------|------|-------------|
| `setFee(uint256)` | `Config.sol:L15` | `onlyOwner` |
### Governance
| Function | File | Restriction |
|----------|------|-------------|
### Guardian / Pauser
| Function | File | Restriction |
|----------|------|-------------|
### Other Roles
| Function | File | Restriction | Role |
|----------|------|-------------|------|
---
## Restricted (Review Required)
Functions with access control patterns that need manual verification.
| Function | File | Pattern | Why Review |
|----------|------|---------|------------|
| `execute(bytes)` | `Executor.sol:L88` | `require(trusted[msg.sender])` | Dynamic trust list |
---
## Contract-Only (Internal Integration Points)
Functions only callable by other contracts—useful for understanding trust boundaries.
| Function | File | Expected Caller |
|----------|------|-----------------|
| `onFlashLoan(...)` | `Vault.sol:L200` | Flash loan provider |
---
## Files Analyzed
- `path/to/file1.sol` (X state-changing entry points)
- `path/to/file2.sol` (X state-changing entry points)
Filtering
When user specifies a directory filter:
- Only analyze files within that path
- Note the filter in the report header
- Example: "Analyze only
src/core/" → scope =src/core/
Analysis Guidelines
- Be thorough: Don't skip files. Every state-changing externally callable function matters.
- Be conservative: When uncertain about access level, flag for review rather than miscategorize.
- Skip read-only: Exclude
view,pure, and equivalent read-only functions. - Note inheritance: If a function's access control comes from a parent contract, note this.
- Track modifiers: List all access-related modifiers/decorators applied to each function.
- Identify patterns: Look for common patterns like:
- Initializer functions (often unrestricted on first call)
- Upgrade functions (high-privilege)
- Emergency/pause functions (guardian-level)
- Fee/parameter setters (admin-level)
- Token transfers and approvals (often public)
Common Role Patterns by Protocol Type
| Protocol Type | Common Roles |
|---|---|
| DEX | owner, feeManager, pairCreator |
| Lending | admin, guardian, liquidator, oracle |
| Governance | proposer, executor, canceller, timelock |
| NFT | minter, admin, royaltyReceiver |
| Bridge | relayer, guardian, validator, operator |
| Vault/Yield | strategist, keeper, harvester, manager |
Rationalizations to Reject
When analyzing entry points, reject these shortcuts:
- "This function looks standard" → Still classify it; standard functions can have non-standard access control
- "The modifier name is clear" → Verify the modifier's actual implementation
- "This is obviously admin-only" → Trace the actual restriction; "obvious" assumptions miss subtle bypasses
- "I'll skip the callbacks" → Callbacks define trust boundaries; always include them
- "It doesn't modify much state" → Any state change can be exploited; include all non-view functions
Error Handling
If a file cannot be parsed:
- Note it in the report under "Analysis Warnings"
- Continue with remaining files
- Suggest manual review for unparsable files
先判断是否适合
作者设计意图
作者的方法与取舍
边界和复核