# ElizaOS Developer Update (2026-03-19 → 2026-03-25) This update aggregates developer-relevant changes and discussions observed across ElizaOS community channels during the week ending **2026-03-25**. **Note:** No ElizaOS core GitHub PR/issue activity for this exact window was included in the provided dataset, so this report focuses on Discord-shared technical releases, security advisories, and ecosystem plugins. --- ## 1) Core Framework (Architecture / Plugin System / Agent Runtime) ### Model Context Protocol (MCP) continues to be the preferred extension surface Community work this week shipped new capabilities as **MCP servers** (see *Pythia Oracle MCP* below). This reinforces the pattern of treating external capabilities as **tool servers** that agents can query at runtime, rather than hard-coding data pipelines into the agent. **Developer pointers** - If you’re building integrations, consider exposing them as an MCP server to keep secrets and vendor dependencies out of the core agent runtime. - Reference docs/roadmap: - Roadmap: https://github.com/elizaOS/roadmap - Paper: https://arxiv.org/abs/2501.06781 --- ## 2) New Features (Detailed) ### 2.1 Pythia Oracle MCP Server: verifiable on-chain market indicators (no API keys) **Shared by:** Ivan Jeremic (Discord, `#coders`, 2026-03-24) **What it does:** Provides live market indicators directly from **Chainlink oracles on Polygon**, covering **13 tokens** across **4 timeframes**, including: - EMA, RSI, VWAP - Bollinger Bands - Volatility metrics **Why this matters** - Eliminates API keys and off-chain data ingestion for common market context. - Enables DeFi/trading agents to ground decisions in **verifiable oracle-fed indicators**. **Install** ```bash pip install pythia-oracle-mcp ``` **Example: running as an MCP tool server (pattern)** Exact CLI flags were not provided in the week’s data; the following illustrates the typical deployment shape for MCP servers: ```bash # Example pattern (adjust to the package's documented entrypoints) pythia-oracle-mcp --host 127.0.0.1 --port 3333 ``` **Example: wiring an MCP server into an agent (conceptual)** Because the exact ElizaOS config schema for MCP connections was not included in this week’s dataset, use this as a conceptual reference—map the fields to your runtime’s MCP client configuration: ```jsonc { "tools": [ { "type": "mcp", "name": "pythia", "url": "http://127.0.0.1:3333" } ] } ``` **Operational guidance** - Treat oracle-indicator queries as **deterministic inputs**: cache responses per timeframe to avoid over-querying. - For trading agents: persist the indicator snapshot alongside decisions for auditability and post-trade evaluation. **Discussion source** - Discord channel: https://discord.com/channels/1253563208833433701/1300025221834739744 --- ### 2.2 Autonomous agent monetization plugin (Base chain marketplace, AGT payments) **Shared by:** TraderTomson (Discord, 2026-03-22) **What it does:** A plugin enabling an agent to: - Register itself on an **on-chain marketplace on Base** - Post services, get hired by other agents - Receive payment in **AGT tokens** - Operate autonomously (no human-in-the-loop required for listing/hiring/payment flows) **Why this matters** - Introduces a standardized path for **agent-to-agent commerce**. - Pushes ElizaOS agents toward self-sustaining economic loops (service discovery → fulfillment → settlement). **Developer integration notes (based on discussion)** - Expect to handle: - On-chain identity / wallet management - Service catalog metadata (capabilities, pricing, SLA) - Event-driven fulfillment (listen for hire events → execute → attest completion) If you plan to adopt it, validate: - Key management strategy (HSM, enclave, delegated signing) - Failure modes (reorgs, partial execution, gas spikes) - Replay protection on “job accepted / job completed” messages **Discussion source** - Discord channel (general): https://discord.com/channels/1253563208833433701/1253563209462448241 --- ## 3) Bug Fixes (Critical fixes with technical context) ### No core bug-fix PRs were included in this week’s dataset However, a **critical ecosystem security issue** surfaced (see below). Treat this as “bug class: supply-chain compromise” affecting developer environments and CI. --- ## 4) API Changes ### No ElizaOS API changes were recorded in the provided data for 2026-03-19 → 2026-03-25 If you merged API changes internally this week, ensure you: - version your plugin manifests, - document schema changes in the registry, - and add migration notes for agent configs (especially tool invocation schemas). --- ## 5) Social Media Integrations (Twitter / Telegram / Discord / Farcaster) ### No plugin updates were recorded this week for social integrations Community items did include promotional activity around MiladyAI short video submissions, but no technical changes to X/Twitter, Telegram, Discord, or Farcaster plugins were discussed. --- ## 6) Model Provider Updates (OpenAI / Anthropic / DeepSeek / etc.) ### No provider integration changes were recorded in the provided data this week If you operate production agents, this week’s key provider-adjacent action is dependency hygiene (next section), not model endpoint changes. --- ## 7) Breaking Changes (V1 → V2 migration warnings) ### No new V1→V2 breaking changes were identified in this week’s dataset That said, two migration risk areas are active in the ecosystem: 1) **Tooling via MCP servers is accelerating** - If you are migrating older plugins that were tightly coupled to runtime internals, expect pressure to refactor toward **MCP tool boundaries** (clear I/O contracts, stateless queries, explicit auth). 2) **Supply-chain risk impacts migration reliability** - Migration work often involves dependency bumps; treat Python tooling updates as high-risk until verified (see security advisory below). --- ## Security Advisory (Action Required): `litellm` PyPI supply-chain attack (v1.82.8) **Shared by:** DorianD (Discord, `#coders`, 2026-03-24) **Impact described in-channel** - Malicious `.pth` file executes on **every Python startup** - Harvests SSH keys, cloud credentials, and secrets - Attempts lateral movement across Kubernetes clusters **Recommended immediate actions** ```bash # 1) Identify exposure pip show litellm # 2) If installed, remove and rotate secrets pip uninstall -y litellm # 3) Reinstall only after verifying a known-good version per official advisory # (Pin explicitly; avoid floating constraints) pip install "litellm==" ``` **Ops checklist** - Rotate: SSH keys, cloud access keys, Kubernetes service account tokens, CI secrets. - Audit: developer laptops + CI runners + build images. - Add: dependency allowlists + hash checking for Python where feasible. **Discussion source** - Discord channel: https://discord.com/channels/1253563208833433701/1300025221834739744 --- ## Community / Ecosystem Notes (Developer-relevant) - **Nosana x ElizaOS partnership** for the **Nosana Builders’ Challenge** (launching **2026-03-25**) with builder workshops on **2026-03-26** and **2026-04-02**. If you want hands-on support or visibility for your agent build, this is the main coordinated on-ramp this week. - Discord discussion: https://discord.com/channels/1253563208833433701/1253563209462448241 - Documentation clarification repeated in community: there is **no traditional “token whitepaper”**; canonical references are the **GitHub roadmap** and the **arXiv paper**: - https://github.com/elizaOS/roadmap - https://arxiv.org/abs/2501.06781