## Issue Triage — 2026-02-04

### 1) Malicious / Untrusted Skills on Clawhub (Supply-Chain Risk) — **DISC-SEC-001**
- **Current Status:** Reported in Discord (#coders). Mitigations proposed (scanner skills, rewrite phase, LLM review). Sandboxing suggested.
- **Impact Assessment:**
  - **User Impact:** **Critical** (any user installing skills could be affected)
  - **Functional Impact:** **Yes** (can lead to agent compromise / arbitrary actions)
  - **Brand Impact:** **High** (security posture + ecosystem trust)
- **Technical Classification:**
  - **Issue Category:** **Security**
  - **Component Affected:** **Plugin System / Skill Marketplace (Clawhub)**
  - **Complexity:** **Architectural change** (end-to-end trust & execution model)
- **Resource Requirements:**
  - **Required Expertise:** AppSec, sandboxing (containers/wasm/VM), static analysis, supply-chain signing/attestation, LLM eval pipelines
  - **Dependencies:** Definition of skill packaging format; runtime constraints; marketplace enforcement hooks
  - **Estimated Effort (1–5):** **5**
- **Recommended Priority:** **P0**
- **Specific Actionable Next Steps:**
  1. Create a formal threat model (malicious skill code, prompt injection in skill metadata, dependency confusion, exfiltration).
  2. Define a minimum security baseline for skills: permissions manifest + network/fs/process limits + signed artifacts.
  3. Implement **execution sandbox** (recommended): containerized runner or WASM sandbox with explicit allowlists.
  4. Add **pre-publish scanning**: dependency scanning (SCA), secrets scanning, static heuristics for dangerous APIs.
  5. Add **review pipeline**: LLM-based review as *advisory*, not primary gate; require human approval for high-risk permissions.
  6. Add incident response path: takedown mechanism + revoke list + user notification.
- **Potential Assignees:**
  - **Odilitime** (plugin-cskills + proposed multi-layer approach)
  - **jin** (raised concern; sandboxing suggestion)
  - **0xbbjoker** (plugin/runtime integration experience)

---

### 2) Token Migration Failures Causing User Financial Loss — **DISC-MIG-001**
- **Current Status:** Ongoing Discord reports; users redirected to support channels. One report cites “over 4k” loss and high friction.
- **Impact Assessment:**
  - **User Impact:** **Critical** (multiple users; direct monetary impact)
  - **Functional Impact:** **Partial** (not core framework runtime, but core ecosystem operations)
  - **Brand Impact:** **High** (trust, legitimacy, reputational risk)
- **Technical Classification:**
  - **Issue Category:** **Bug / UX / Documentation** (plus Support Ops)
  - **Component Affected:** **Migration tooling + bridge site + support workflows**
  - **Complexity:** **Complex solution** (mix of on-chain edge cases + UI + support)
- **Resource Requirements:**
  - **Required Expertise:** Solana tooling, on-chain token mechanics, web app debugging, support ops, incident communications
  - **Dependencies:** Bridge provider/backend logs; token contract constraints; deadline policy decisions
  - **Estimated Effort (1–5):** **5**
- **Recommended Priority:** **P0**
- **Specific Actionable Next Steps:**
  1. Open a single “Migration Incident” tracker with sub-issues: detection failures, caps/errors, zero balances, legacy holdings.
  2. Instrument bridge UI with clear error codes + user-facing remediation steps; capture anonymized diagnostics.
  3. Publish an official “Known Issues + Fix Status” post and keep it updated daily until resolved.
  4. Triage the most common failures immediately:
     - Bridge not detecting pre-Nov 2025 tokens
     - “Max amount reached” error
     - Wallet shows zero / mismatched account state
  5. Add a structured support intake form (wallet addr, token mint, tx sigs, screenshots, error code).
- **Potential Assignees:**
  - **Borko / Odilitime** (project coordination + comms)
  - **Hexx 🌐 / satsbased** (support channel operators; intake + escalation)
  - **Solana-focused engineer (e.g., BrightSyntax)** for rapid investigation if available

---

### 3) Skill Invocation Reliability: Skills Not Triggered in ~56% of Eval Cases — **DISC-AGENT-001**
- **Current Status:** Reproduced in evaluation; workaround exists via UserPromptSubmit hook enforcing a 3-step activation sequence.
- **Impact Assessment:**
  - **User Impact:** **High** (anyone relying on skills/tools)
  - **Functional Impact:** **Yes** (agents fail to use tools; core capability degradation)
  - **Brand Impact:** **High** (“agent doesn’t work” perception)
- **Technical Classification:**
  - **Issue Category:** **Bug / Reliability**
  - **Component Affected:** **Core Framework (agent loop), Tool/Skill routing**
  - **Complexity:** **Moderate effort** (prompting + control-flow + evaluation)
- **Resource Requirements:**
  - **Required Expertise:** Agent orchestration, prompt/tool-calling, evaluation harnesses
  - **Dependencies:** Model differences (Sonnet vs others), skill schema/description quality
  - **Estimated Effort (1–5):** **4**
- **Recommended Priority:** **P0**
- **Specific Actionable Next Steps:**
  1. Add an automated regression test: “given docs + eligible skills → must call at least one skill in N% cases.”
  2. Productize the workaround: optional “strict tool-calling mode” (the 3-step gating) behind a config flag.
  3. Improve skill metadata contract: enforce concise descriptions + trigger examples + negative examples.
  4. Add tracing: log “skills considered / selected / not selected” with model outputs for debuggability.
- **Potential Assignees:**
  - **R0am** (workaround author; can help codify into framework)
  - **Stan** (already implementing similar pattern in Cloud)
  - **Odilitime** (core-dev alignment)

---

### 4) ElizaCloud Account Duplication (Proton email aliases) Causes “Agent Disappeared” — **DISC-CLOUD-001**
- **Current Status:** Reported in Discord; suspected duplicate accounts created via `x@proton.me` vs `x@protonmail.com`.
- **Impact Assessment:**
  - **User Impact:** **High** (account access + perceived data loss)
  - **Functional Impact:** **Partial** (Cloud usability blocker)
  - **Brand Impact:** **High** (trust in Cloud persistence)
- **Technical Classification:**
  - **Issue Category:** **Bug / UX**
  - **Component Affected:** **Cloud Auth + Account Linking**
  - **Complexity:** **Moderate effort**
- **Resource Requirements:**
  - **Required Expertise:** Identity/auth, account linking, database migrations, support tooling
  - **Dependencies:** Current auth provider behavior; canonicalization rules
  - **Estimated Effort (1–5):** **3**
- **Recommended Priority:** **P1**
- **Specific Actionable Next Steps:**
  1. Implement email canonicalization policy (or explicit alias handling) and document it.
  2. Add “merge accounts” flow for known alias domains (Proton) with verification.
  3. Add admin tooling/support SOP to restore “missing agents” by transferring ownership.
  4. Add automated test coverage for alias login edge cases.
- **Potential Assignees:**
  - **Stan** (Cloud implementation)
  - **0xbbjoker** (API/CLI integration; can assist)
  - **Borko** (support escalation coordination)

---

### 5) ElizaCloud: API Key Creation Blocked Without Credit Card (even with free credits); x402 disabled on free tier — **DISC-CLOUD-002**
- **Current Status:** Reported in Discord; blocks bot testing and API usage for free-credit users.
- **Impact Assessment:**
  - **User Impact:** **High** (developer adoption + evaluation friction)
  - **Functional Impact:** **Yes** (prevents API usage for a large funnel segment)
  - **Brand Impact:** **High** (perceived paywall / “can’t try it”)
- **Technical Classification:**
  - **Issue Category:** **UX / Bug / Billing**
  - **Component Affected:** **Cloud Billing + API Key Management**
  - **Complexity:** **Moderate effort**
- **Resource Requirements:**
  - **Required Expertise:** Billing systems, entitlement checks, API key service, payments (x402)
  - **Dependencies:** Billing policy decisions; risk controls (fraud/abuse)
  - **Estimated Effort (1–5):** **3**
- **Recommended Priority:** **P1**
- **Specific Actionable Next Steps:**
  1. Separate “API key issuance” entitlement from “payment method on file” for free-tier quotas.
  2. Enable x402 top-ups for free tier (with rate limits) *or* provide a limited developer key mode.
  3. Add clear UI messaging: why blocked + exact steps to unblock; show remaining free credits.
  4. Add abuse safeguards: per-IP/per-account quotas; CAPTCHA for key creation if needed.
- **Potential Assignees:**
  - **Stan** (Cloud)
  - **borisudovicic** (product requirements alignment)
  - **Odilitime** (policy + rollout coordination)

---

### 6) GitHub Issue: **Billing** — elizaos/eliza **#6448**
- **Current Status:** **OPEN** (empty body; needs scoping).
- **Impact Assessment:**
  - **User Impact:** **Medium → High** (depends on what billing covers; likely Cloud monetization)
  - **Functional Impact:** **Partial** (monetization + access gating)
  - **Brand Impact:** **Medium** (billing rough edges reflect maturity)
- **Technical Classification:**
  - **Issue Category:** **Feature Request / Bug** (currently unspecified)
  - **Component Affected:** **API / Cloud / Billing**
  - **Complexity:** **Unknown** (needs definition)
- **Resource Requirements:**
  - **Required Expertise:** Billing/payments, entitlements, metering, invoicing
  - **Dependencies:** Product policy (tiers, free credits, x402), identity/account model
  - **Estimated Effort (1–5):** **2** (to scope) / **4–5** (to implement depending on requirements)
- **Recommended Priority:** **P1** (scope immediately to unblock fixes like DISC-CLOUD-002)
- **Specific Actionable Next Steps:**
  1. Update issue with problem statement: tiers, API key gating, x402 support, invoicing requirements.
  2. Add acceptance criteria + non-goals + rollout plan.
  3. Link related Discord-reported items (credit card gating, x402 free-tier).
- **Potential Assignees:**
  - **borisudovicic** (issue author; define requirements)
  - **Stan** (Cloud implementation)
  - **Odilitime** (review + prioritization)

---

### 7) Bridge Website Doesn’t Detect Pre‑Nov 2025 Tokens — **DISC-MIG-002**
- **Current Status:** Reported in Discord; user unable to migrate legacy holdings.
- **Impact Assessment:**
  - **User Impact:** **High** (blocked migrations; potential losses)
  - **Functional Impact:** **Partial**
  - **Brand Impact:** **High**
- **Technical Classification:**
  - **Issue Category:** **Bug**
  - **Component Affected:** **Migration bridge indexing / eligibility logic**
  - **Complexity:** **Moderate effort**
- **Resource Requirements:**
  - **Required Expertise:** Solana indexing, RPC performance, token account history, snapshot logic
  - **Dependencies:** Snapshot sources; RPC provider reliability
  - **Estimated Effort (1–5):** **4**
- **Recommended Priority:** **P0** (because it directly contributes to DISC-MIG-001 losses)
- **Specific Actionable Next Steps:**
  1. Reproduce with a known legacy wallet; capture token account states and expected detection logic.
  2. Validate snapshot criteria vs real chain data; patch eligibility rules.
  3. Add “manual verification” fallback path (support-run) for edge cases.
- **Potential Assignees:**
  - Core migration/bridge engineer (not named in logs) + **Hexx 🌐** for support escalation
  - **BrightSyntax** (if onboarded) for Solana investigation support

---

### 8) “Max amount reached” Error During Migration — **DISC-MIG-003**
- **Current Status:** Reported in Discord.
- **Impact Assessment:**
  - **User Impact:** **Medium → High** (likely affects a subset; blocks completion)
  - **Functional Impact:** **Partial**
  - **Brand Impact:** **High** (migration perceived as broken)
- **Technical Classification:**
  - **Issue Category:** **Bug / UX**
  - **Component Affected:** **Migration bridge constraints / rate limits / contract caps**
  - **Complexity:** **Moderate effort**
- **Resource Requirements:**
  - **Required Expertise:** On-chain limits, backend rate limiting, UI error handling
  - **Dependencies:** Contract parameters; backend throttles
  - **Estimated Effort (1–5):** **3**
- **Recommended Priority:** **P0** (migration blocking issue)
- **Specific Actionable Next Steps:**
  1. Identify whether the “max amount” is per-tx, per-wallet, per-epoch, or global cap; surface it in UI.
  2. If per-tx: implement auto-splitting into multiple transactions.
  3. If per-wallet: provide rationale and support override path if unintended.
- **Potential Assignees:**
  - Migration/bridge engineer + **Borko** (coordination) + **Hexx 🌐** (support SOP)

---

### 9) Branch Divergence: “Use odi-dev, not main” (Risk of Users Building on Wrong Code) — **DISC-DEVEX-001**
- **Current Status:** Discord guidance indicates main is missing many improvements/bug fixes.
- **Impact Assessment:**
  - **User Impact:** **Medium** (devs may hit already-fixed bugs)
  - **Functional Impact:** **Partial** (DX + stability)
  - **Brand Impact:** **Medium** (perceived instability/confusion)
- **Technical Classification:**
  - **Issue Category:** **Documentation / Process**
  - **Component Affected:** **Core Framework repo management / release process**
  - **Complexity:** **Moderate effort**
- **Resource Requirements:**
  - **Required Expertise:** Release engineering, branching strategy, CI, changelog discipline
  - **Dependencies:** Pending PRs; test coverage; release cadence decisions
  - **Estimated Effort (1–5):** **3**
- **Recommended Priority:** **P2**
- **Specific Actionable Next Steps:**
  1. Clarify branch policy: which branch is stable, which is dev, and how often merges happen.
  2. Add a banner in README/docs indicating the recommended branch/tag for builders.
  3. Establish a weekly “merge-down + release tag” ritual with a short changelog.
- **Potential Assignees:**
  - **Odilitime** (raised guidance; owns context)
  - **0xbbjoker** (repo maintenance)
  - **greptile-apps** (could assist with automated review checks)

---

### 10) Character File & Prompt Engineering Improvements — elizaos/eliza **#6447**
- **Current Status:** **OPEN**; iterative prompt/character improvements; plan to test on Sonnet.
- **Impact Assessment:**
  - **User Impact:** **Medium** (quality improvements; not a blocker)
  - **Functional Impact:** **No** (but improves default experience)
  - **Brand Impact:** **Medium** (first impression quality)
- **Technical Classification:**
  - **Issue Category:** **UX**
  - **Component Affected:** **Default Agent Character/Prompts**
  - **Complexity:** **Simple fix → Moderate effort** (iteration + eval)
- **Resource Requirements:**
  - **Required Expertise:** Prompt engineering, evaluation design, product voice/tone
  - **Dependencies:** Model choice (Sonnet/Sonnet 5), message examples PRs referenced
  - **Estimated Effort (1–5):** **2**
- **Recommended Priority:** **P2**
- **Specific Actionable Next Steps:**
  1. Add structured eval rubric (helpfulness, tool use, safety, tone consistency).
  2. Integrate message examples (from referenced PRs) and A/B test with Sonnet.
  3. Ship incremental improvements behind versioned character profiles.
- **Potential Assignees:**
  - **borisudovicic** (issue owner)
  - **Stan** (model deployment/testing in Cloud)
  - **Odilitime** (review)

---

## Top Highest-Priority Issues to Address Immediately (Next 24–72h)
1. **DISC-SEC-001:** Malicious skills on clawhub (supply-chain security) — **P0**
2. **DISC-MIG-001:** Migration failures causing user losses + incident coordination — **P0**
3. **DISC-AGENT-001:** Skill invocation reliability (56% non-trigger) — **P0**
4. **DISC-MIG-002:** Bridge not detecting pre‑Nov 2025 tokens — **P0**
5. **DISC-MIG-003:** “Max amount reached” migration error — **P0**
6. **DISC-CLOUD-001:** Proton alias account duplication causing “agent disappeared” — **P1**
7. **DISC-CLOUD-002 / #6448:** Billing & API-key gating without CC; x402 on free tier — **P1**

---

## Patterns / Themes Indicating Deeper Issues
- **Trust & safety gaps in extensibility:** Plugin/skills ecosystem is expanding faster than the enforcement mechanisms (sandboxing, permissions, signing).
- **Operational fragility in high-stakes flows:** Migration has multiple edge-case failures with insufficient observability and unified incident tracking.
- **Agent reliability depends on orchestration discipline:** Tool/skill calling is inconsistent without stronger control-flow, metadata standards, and regression tests.
- **Cloud onboarding friction:** Identity edge cases (email aliasing) + billing gates are creating “can’t try it” failures that harm adoption.

---

## Process Improvements (Prevent Recurrence)
1. **Security baseline for plugins/skills:** Require a permissions manifest + signed artifacts + sandboxed execution before marketplace distribution.
2. **Incident command for migrations:** Single public status page + internal runbook, with error codes mapped to fixes and ETAs.
3. **Reliability test gates for tool calling:** Add CI evals that fail builds when skill/tool invocation success rate regresses.
4. **Cloud identity & billing design reviews:** Canonicalize identity rules and separate “trial access” entitlements from “payment method on file,” with explicit anti-abuse controls.
5. **Release/branch clarity:** Publish a stable branch/tag policy and automate regular merges/releases to prevent community building on stale or divergent branches.