security-entry-point-analyzer
Entry Point Analysis
When to Use
- Mapping an application's attack surface before security testing
- Cataloging all API endpoints, routes, and exposed interfaces
- Identifying which entry points handle untrusted input
- Prioritizing code paths for deeper security review
- Understanding data flow from external input to internal processing
When NOT to Use
- Deep vulnerability analysis of specific code paths (use static analysis)
- Network-level attack surface mapping (use nmap/network tools)
- Binary reverse engineering entry points (use DWARF/disassembly tools)
Entry Point Categories
| Category | Examples | Priority |
|---|---|---|
| HTTP routes/endpoints | REST APIs, GraphQL, webhooks | High |
| WebSocket handlers | Real-time messaging, streaming | High |
| File upload handlers | Document upload, image processing | Critical |
| Authentication endpoints | Login, OAuth callbacks, token refresh | Critical |
| Deserialization points | JSON/XML/protobuf parsing from external | High |
| CLI argument parsing | User-supplied flags and arguments | Medium |
| IPC/RPC interfaces | gRPC, message queues, Unix sockets | Medium |
| Cron/scheduled tasks | Jobs triggered by external data | Low-Medium |
| Environment variables | Config that influences behavior | Low |
Discovery Techniques
Route Discovery
# Express.js / Node
grep -rn "app\.\(get\|post\|put\|delete\|patch\|all\|use\)(" --include="*.ts" --include="*.js" .
# Flask / Python
grep -rn "@app\.route\|@blueprint\.route\|@api\.route" --include="*.py" .
# Spring / Java
grep -rn "@\(Get\|Post\|Put\|Delete\|Patch\|Request\)Mapping" --include="*.java" .
# GraphQL resolvers
grep -rn "Mutation\|Query\|Subscription" --include="*.ts" --include="*.graphql" .
Input Handling
# Request body/query/param access
grep -rn "req\.body\|req\.query\|req\.params\|request\.json\|request\.form" .
# File upload handling
grep -rn "multer\|upload\|multipart\|formidable\|busboy" .
# Header access
grep -rn "req\.headers\|request\.headers\|getHeader" .
Analysis Workflow
- Enumerate all entry points (routes, handlers, listeners)
- Classify by input type and trust level
- Trace input flow from entry to first processing step
- Identify authentication/authorization requirements per endpoint
- Document attack surface map with risk ratings
- Prioritize unauthenticated endpoints handling complex input
More from elizaos/eliza
nano-pdf
Edits PDF files using natural-language instructions via the nano-pdf CLI. Supports modifying text, changing titles, fixing typos, and updating content on specific pages. Use when the user wants to edit a PDF, modify PDF content, update PDF text, fix a typo in a PDF, change a PDF title, or rewrite part of a PDF page.
30wacli
Send WhatsApp messages to other people or search/sync WhatsApp history via the wacli CLI (not for normal user chats). Use when the user asks to send a WhatsApp message, text someone on WhatsApp, search WhatsApp chat history, sync WhatsApp conversations, backfill message history, or forward a file via WhatsApp to a third party.
27nano-banana-pro
Generate or edit images via Gemini 3 Pro Image (Nano Banana Pro). Use when the user asks to create an image, generate a picture, produce AI-generated artwork, edit a photo, compose multiple images, or upscale an image to higher resolution. Supports text-to-image generation, single-image editing, and multi-image composition using the Gemini API.
27obsidian
Work with Obsidian vaults (plain Markdown notes) and automate via obsidian-cli. Use when the user asks about notes, vault management, PKM, knowledge base organization, wikilinks, or personal knowledge management in Obsidian.
25session-logs
Search and analyze session logs (older/parent conversations) stored as JSONL files using jq and rg. Use when the user asks about prior chats, previous conversations, conversation history, what was said before, session costs, token usage, or tool usage breakdown across past sessions.
24discord
Use when you need to control Discord from Otto via the discord tool: send messages, react, post or upload stickers, upload emojis, run polls, manage threads/pins/search, create/edit/delete channels and categories, fetch permissions or member/role/channel info, set bot presence/activity, or handle moderation actions in Discord DMs or channels.
24