# elizaOS Discord - 2025-12-09 ## Overall Discussion Highlights ### Critical Security Vulnerability Discovered and Patched A major security vulnerability was discovered through an agentic security audit conducted by jin using Claude. The vulnerability exposed the server when the CLI wizard failed to prompt for `ELIZA_SERVER_AUTH_TOKEN`, allowing attackers to extract all secrets via unauthenticated API calls to `/api/agents`. Stan traced the root cause to process.env being dumped into unencrypted `settings` instead of encrypted `settings.secrets` between versions 1.6.4 and 1.6.5-alpha.8. The bug was introduced and fixed within 2.5 weeks, with the fix committed at a1941c643bd904fbca7890296af0d1f8b8f67ee1. Additional settings exposure issues on the current monorepo are being addressed by Stan. ### AI16Z to ElizaOS Migration Fallout The migration from AI16Z to ElizaOS (1:6 ratio) created significant community concerns. The total supply increased from 6.6B to 11B tokens, with circulating supply jumping to 7.4B. A controversial snapshot was implemented to prevent arbitrage, catching many holders off-guard, particularly those on exchanges like Kraken. The supply increase was clarified as 13% at migration point for liquidity/exchanges, with the remaining 27% on a 3-year unlock schedule. Multiple users reported migration issues and sought guidance through support channels. ### Code Quality Initiative: Comprehensive "Deslopping" Shaw submitted PR #6213 performing extensive cleanup across the core codebase, removing AI-generated code artifacts including excessive try/catches, improving types (any => unknown), adding test coverage, and cleaning comments. Despite touching many files, all tests pass with dramatic reduction in `any` and `unknown` types. Odilitime initially wanted smaller PRs but accepted the comprehensive approach given the scope. Shaw recommends this cleanup every 6 months and advocates using Claude Opus 4.5 for all development work, arguing it's worth more than hiring additional people. ### Infrastructure and Platform Development **Jeju Testnet Deployment:** Shaw announced deployment of a next-gen OP stack agent chain with cross-chain liquidity pools (xlp) that eliminates bridge requirements. Users can use elizaOS tokens from Base, BSC, OP, Arb, or ETH as gas without bridging. Shaw is deploying nodes for major L2s to eliminate RPC dependencies. **Platform Integration:** The infrastructure integrates with Cloud (vendor app) and includes x402 payment infrastructure and Ethereum interop layer. Shaw also mentioned Crucible - a 24/7 red team system for continuous security testing. ### Twitter Integration Problems Multiple users reported Twitter plugin functionality completely broken. SecretRecipe reported posting failures despite proper configuration, with environment arguments not being respected (e.g., interaction check intervals ignoring custom values). Nico encountered "No text content in response, skipping tweet reply" warnings for all replies. Jin committed to immediate fixes. ### Database and Plugin Issues Significant technical issues emerged with database foreign key constraint violations in `plugin-sql` when used with `plugin-twitter` and PostgreSQL. Users soyrubio and Redvoid encountered errors where memory creation failed due to `memories_entityId_entities_id_fk` constraint violations. Stan confirmed active work on a fix and migration guide. The plugin-sql repository location was clarified as being in the main ElizaOS repo under `packages/plugin-sql`. ### Technical Architecture Concerns DorianD raised critical tokenomics and architecture issues: - No network effects from launching agents - Lack of composability between agents (unlike smart contracts) - No guaranteed uptime like smart contracts - No assurance of agent availability/accessibility These represent fundamental architectural limitations compared to blockchain-based systems that need addressing. ### Cloud Platform and Babylon Project Status Multiple inquiries about the promised ElizaOS cloud platform launch (originally scheduled for end of November). Odilitime confirmed active development with focus on developer experience but provided no launch date. The Babylon project was mentioned with 275K registrations, focused on autonomous agents with infrastructure partners, but no launch timeline was disclosed despite community pressure. ### LLM Integration and Technical Discoveries cryptorixh sought to integrate Perplexity's sonar-pro model with ElizaOS. Odilitime provided a solution using existing OpenAI or OpenRouter plugins by modifying environment variables, specifically pointing the `OPENAI_API_URL` to Perplexity's server while setting the model to sonar-pro. Odilitime discovered that calling `composeState` from inside an action's validator can cause infinite loops if parameters aren't handled carefully. The team discussed JSON5 preference over JSON, and evaluated new formats like TOON and POML but concluded XML/JSON remain better for dumber models due to longer training history. ### Plugin Memory Upgrade Discussion Odilitime shared a plugin-memory upgrade suggestion document. 0xbbjoker and Stan expressed interest in discussing after standup. The team also discussed session memory implementations, referencing ChatGPT's economical token spend approach. ## Key Questions & Answers **Q: What happened to ElizaOS cloud launch that was supposed to launch by end of November?** A: Still in development, devs will really like it, no specific launch date yet (Odilitime) **Q: Why is Twitter posting not working despite all settings configured?** A: I'll fix right now (jin) **Q: Why did supply increase and airdrop come from community pocket?** A: Supply increased 13% at migration for liquidity and exchanges, with 3 year unlock schedule for remaining 27% which doesn't mean they'll be in market (Kenk) **Q: Anyone else encountered database errors with plugin-twitter and plugin-sql violating foreign key constraint?** A: Stan is working on a fix and migration guide, started yesterday (sayonara) **Q: Where is the plugin-sql repository?** A: https://github.com/elizaOS/eliza/tree/develop/packages/plugin-sql (Stan) **Q: How can I use Perplexity sonar-pro as my LLM?** A: Use plugin-openai or plugin-openrouter and change env vars like OPENAI_API_URL to point at Perplexity's server (Odilitime) **Q: What's wrong with try/catches in the codebase?** A: Cursor is overzealous with them, it's a very common slop pattern from AI code generation (shaw) **Q: Why can't the deslopping PR be broken into smaller pieces?** A: Running project-wide processing to detect and remove slop, not feasible to separate since all tests pass with full coverage and dramatic type improvements (shaw) **Q: Do you waste time if you're not using Opus?** A: Now that Opus 4.5 is out and costs as much as Sonnet 4.5, yes. It's worth having everyone use Opus more than hiring more people (shaw) **Q: Payment infra? Are we doing a moonpay clone?** A: x402 and ethereum interop layer. Cloud is web2 but everything is exposed to web3 with credits redeemable for elizaOS (shaw) **Q: Should we force SECRET_SALT and AUTH_TOKEN at startup with error?** A: We should be able to start without those env vars. If auth token is blank it should fall back on salt. In production, if salt is blank, it should throw (Odilitime) **Q: Where can I see the plugins? Is there a telegram plugin?** A: https://github.com/elizaos-plugins/plugin-telegram (0xbbjoker) **Q: How can I get airdrops of $BABYLON token if holding $ElizaOS on exchange?** A: Probably better to move to your own wallet, go buy a ledger or keystone (DorianD) ## Community Help & Collaboration **Security Vulnerability Resolution:** - **Helper:** Stan | **Helpee:** sayonara, jin - **Context:** Security vulnerability with unencrypted secrets exposure - **Resolution:** Identified bug was introduced in version 1.6.4 and fixed in 1.6.5-alpha.8, working on remaining issues **Database Plugin Issues:** - **Helper:** Stan | **Helpee:** soyrubio - **Context:** Database foreign key constraint errors with plugin-sql and plugin-twitter - **Resolution:** Provided correct repository location and committed to help fix issue without data loss **Migration Support:** - **Helper:** MDMnvest | **Helpee:** Garush, 거북알 - **Context:** Needed help importing AI16z tokens and exchange process - **Resolution:** Directed to migration support channel **LLM Integration:** - **Helper:** Odilitime | **Helpee:** cryptorixh - **Context:** Integrating Perplexity sonar-pro as LLM - **Resolution:** Explained how to use plugin-openai or plugin-openrouter with modified environment variables **Plugin Discovery:** - **Helper:** 0xbbjoker | **Helpee:** H△RDSHELL - **Context:** Looking for plugins location and Telegram plugin - **Resolution:** Provided link to elizaos-plugins/plugin-telegram repository **API Alternatives:** - **Helper:** jin | **Helpee:** Skelzor - **Context:** Looking for API alternatives to Dexscreener - **Resolution:** Suggested CoinGecko, DeFiLlama, and Codex with public endpoints **Code Review:** - **Helper:** Odilitime | **Helpee:** shaw - **Context:** Large PR review concerns and merge conflicts - **Resolution:** Accepted the comprehensive deslopping PR after understanding scope and confirming tests pass **Security Audit Methodology:** - **Helper:** jin | **Helpee:** shaw, team - **Context:** Security audit methodology and tooling - **Resolution:** Shared pentest squad setup using Claude skills, provided reproduction steps for vulnerabilities **Home Automation:** - **Helper:** Odilitime | **Helpee:** DorianD - **Context:** Question about AI fridge control technology - **Resolution:** Informed that Neo has developed home automation technology for elizaOS ## Action Items ### Technical - Fix Twitter posting functionality - settings not being respected and posting completely broken (jin, SecretRecipe) - Fix remaining settings exposure vulnerability on current monorepo where secrets still appear unencrypted (Stan) - Remove secrets from /agent/ endpoint and put them in system endpoint only (Stan) - Handle remaining vulnerabilities found by jin's security audit in DB-related PR (Stan) - Complete agentic security audit of Babylon using staging.babylon.market endpoint (jin) - Fix plugin-sql foreign key constraint violation for memories table and create migration guide (Stan) - PR fix for plugin-sql database issues (Redvoid) - Fix Twitter plugin "No text content in response, skipping tweet reply" error preventing replies (Nico) - Review and merge PR #6213 deslopping changes to core codebase (shaw) - Discuss plugin-memory upgrade suggestions after standup (0xbbjoker, Stan) - Deploy Crucible 24/7 red team system for continuous security testing (shaw) - Complete Jeju testnet deployment with nodes for major L2s (Base, BSC, OP, Arb, ETH) (shaw) - Implement cross-chain liquidity pools (xlp) without bridge requirements (shaw) - Complete Kraken exchange migration support (Will123, DorianD) - Add support for Perplexity sonar-pro LLM integration (cryptorixh) - Implement tokenomics for agent network effects - currently forking repo and launching agents has no impact (DorianD) - Address agent composability issues - agents aren't easily composable like smart contracts (DorianD) - Implement guaranteed uptime/availability for agents similar to smart contract reliability (DorianD) - Make authentication mandatory by default with explicit opt-out for development environments (jin) - Favor using JSON5 over JSON in codebase (Odilitime) ### Feature - Launch ElizaOS cloud platform (originally promised end of November) (averma, Odilitime) - Launch Babylon project (275K registrations waiting) (joaz0502, Kenk) - Build red team app for 24/7 eliza network security testing (shaw) - Integrate Cloud vendor app with Jeju including comments and payment infrastructure (shaw) - Explore x402 and Oasis ROFL for monetizing ElizaOS inference with verified payments (DorianD) - Build benchmark analytics dashboard for crypto AI infrastructure and agents with search interface and reputation metrics (satsbased) - AI agent for fridge control with camera integration and smart scale access for diet management (DorianD) ### Documentation - Publish blog/documentation on how ElizaOS caters to application developers while monetizing as protocol layer (DorianD, Kenk) - Establish communications advisory board to review decisions before implementation to prevent repeated mistakes (DorianD) - Update documentation for plugin-sql fix and migration (Stan) - Share pentest squad security audit report when complete (jin) - Document composeState infinite loop issue when called from action validators (Odilitime)