How to Tell If a Discord Bot Is Safe Before You Add It (Verified Badge, Permissions, Scam Red Flags)

To tell if a Discord bot is safe before adding it, check four things: a real verified checkmark on the bot's profile, the exact permissions the invite link requests, the developer and their public support server, and any scam red flags like fake "Discord Staff" branding or DMs offering Nitro. If a bot asks for Administrator when it only needs to send messages, stop and read the invite screen carefully before you click Authorize.

Adding a bot is the fastest way to hand a stranger control of your server. The invite screen takes two seconds to approve, but the permissions you grant in that moment can let a bot ban members, delete channels, read every message, or wipe the whole server. Most bots are fine. A few are not. This guide walks through exactly how to check, in the order that catches problems earliest.

Why bot safety matters before you click invite

When you authorize a bot, Discord doesn't sandbox it. The permissions you approve are live immediately. A bot with Administrator can do almost anything a server owner can do, and a malicious or hijacked bot with that access can nuke channels, mass-ban members, or spam invite links to everyone before you notice.

The danger isn't only outright malware. A poorly built bot can leak your member data, a compromised developer account can push a bad update to a bot you already trust, and an impersonator can copy a popular bot's name and avatar to trick you into inviting the wrong one. Checking before you invite costs you about a minute. Cleaning up after a bad invite can cost you your server.

A quick note on what "safe" means here: it covers both the bot's permissions on your server and how the developer handles your data. For a deeper look at the data side, especially with AI bots that read message content, see our breakdown of whether AI Discord bots are safe.

Step 1: Check for the verified badge

Open the bot's profile and look for the verification checkmark next to its name. Discord lets a bot apply for verification once it reaches 75 servers, and the developer completes an identity check as part of that process. A verified bot shows a distinct checkmark badge, and from that point Discord also reviews the sensitive permissions (intents) it can request.

What the badge tells you:

• The developer's identity was checked by Discord.
• The bot is at meaningful scale, so it has a public track record.
• Its sensitive permissions, like reading message content, were reviewed.

What the badge does not tell you: that the bot is well-coded, that the developer is trustworthy forever, or that this specific invite link is the real one. Verification is a strong positive signal, not a guarantee. Plenty of safe, small bots are unverified simply because they haven't hit 75 servers yet. Treat a missing badge as a reason to look harder at Steps 2 through 4, not as automatic proof the bot is bad.

The reverse matters more: if a bot claims to be a huge, well-known service but has no verification badge, that's a red flag worth pausing on. Big, established bots get verified.

Step 2: Review the permissions it requests

This is the most important step, and the one most people skip. When you click an invite link, Discord shows you a screen listing every permission the bot wants. Read it.

Match the permissions to what the bot actually does:

• A leveling or welcome bot needs to send messages, embed links, and manage roles. It does not need to ban members or manage the server.
• A moderation bot legitimately needs kick, ban, manage messages, and timeout. That's expected.
• A music or utility bot needs to connect to voice and speak. It rarely needs role or channel management.

The single biggest warning sign is a bot asking for Administrator when its job is narrow. Administrator is a master key that overrides every other permission and channel override on your server. A reaction-role bot or a poll bot has no reason to ask for it. If a simple bot's invite link requests Administrator, decline and look for a version of the invite that requests only what it needs, or pick a different bot.

You can edit permissions right on the invite screen by unchecking boxes before you authorize. You can also tighten everything afterward, which we cover in Step 5. If you want a permission-by-permission guide to what's reasonable to grant, read what permissions to give a Discord bot. And if you're new to the invite flow itself, our step-by-step guide to adding a Discord bot walks through every screen.

Step 3: Look up the developer and support server

A safe bot almost always has a public home: a website, a support Discord server, and documentation. Before you invite, spend a minute finding it.

What to look for:

• A real support server. Join it. Is it active? Do staff answer questions? Are there hundreds or thousands of members, or is it a ghost town? A genuine bot with real users has a living community around it.
• A website or docs page that explains features, lists commands, and ideally has a privacy policy describing what data the bot collects and how long it keeps it.
• A consistent identity across platforms. The bot's website, support server, and social accounts should all point to each other and use the same branding.

For example, PeakBot lists its support server at discord.gg/peak and its social account as @peakbotx, both linked from its canonical domain at https://peakbot.pro. That kind of consistent, checkable footprint is what you want to see. A bot with no website, no support server, and no way to reach a human is one you can't vet, which is its own answer.

If you're specifically evaluating PeakBot, we wrote a full transparency post on whether PeakBot is safe that covers its permissions and data handling in detail.

Step 4: Spot scam and impersonation red flags

Most bot-related scams on Discord don't come from the bot directory at all. They come from DMs, fake invite links, and impersonation. Learn the patterns and you'll catch nearly all of them.

Hard red flags, any one of which should stop you:

• It impersonates Discord itself. No bot is "official Discord Staff." Discord employees do not DM you to add a bot, claim free Nitro, or ask you to "verify" by authorizing an app. A bot or account using Discord's logo, the name "Discord," or a fake staff badge is a scam.
• A DM pushing you to add it fast. "Add this bot in the next 10 minutes to claim your reward" is pressure designed to stop you from checking. Real bots don't expire.
• The "invite" asks for OAuth scopes like identify or email instead of just bot. A server bot only needs the bot scope (plus applications.commands for slash commands). If an invite link is actually asking to log in as you or read your email, it's a credential grab dressed up as a bot invite.
• Copycat name and avatar. Scammers clone popular bots. Check the exact username, the verification badge, and the developer. A bot named "MEE6" with no badge and a slightly-off avatar is an impersonator.
• Links from random DMs. Only invite bots from the bot's official website, its verified profile, or a trusted directory. Never from an unsolicited DM.

A useful habit: when in doubt, search the bot's exact name plus "scam" or "official invite" and find the developer's real domain before you click anything. The phrase "is this Discord bot safe" is worth typing into a search engine before, not after, you authorize.

Step 5: Apply least-privilege after adding

Even a trustworthy bot should only have the permissions it actually uses. This is the principle of least privilege, and Discord makes it easy to enforce after the bot is in your server.

After inviting:

1. Open Server Settings, then Roles, and find the role Discord auto-created for the bot.
2. Turn off anything it doesn't need. If your welcome bot somehow has Manage Server or Ban Members, remove those. Leave only what its features require.
3. Use channel-level overrides to keep the bot out of channels it has no business reading, like a private staff or owner channel.
4. Keep the bot role below your moderator and admin roles in the hierarchy. A bot can only manage roles and members positioned below its own role, so placement is a real safety control.
5. Re-check after major updates. If a bot adds features and asks you to re-invite for new permissions, read that new invite screen as carefully as the first.

Doing this means that even if a bot is later compromised, the blast radius is limited to what you granted. A bot that can only send messages can't nuke your server no matter what happens to the developer.

How PeakBot approaches bot safety

PeakBot is a free, AI-powered Discord bot that replaces MEE6, Carl-bot, Dyno, and TidyCord with one tool, and it's currently powering 500+ Discord communities. On the safety front, it follows the same rules this guide recommends: a public support server at discord.gg/peak, a single canonical domain at https://peakbot.pro, and a feature set that maps to specific, scoped permissions rather than a blanket Administrator grab.

It also includes tools that protect the server itself, like anti-raid and anti-nuke, context-aware AI moderation that reads message intent instead of matching a fixed keyword list, and full logging so you can see exactly what's happening. More than 30 features are free with no time limit and no trial, and the AI Server Builder, a Pro feature, can build a complete server structure from a plain-English description in under 60 seconds. Pro is $8.25/month or $69/year per server. You can see the full permission breakdown on the features page or compare it against other bots on the comparison page.

To be fair to the alternatives: MEE6 is the most recognizable name and has a polished onboarding flow; Carl-bot has the deepest reaction-role and embed tooling; Dyno is the cheapest premium tier at $4.99/mo; and Arcane is solid for leveling at around $7 per server. Each is a real, safe bot when you get it from its official source. The point of this guide isn't to push one bot over another, it's to make sure that whichever bot you add, you added the real one with the right permissions.

Frequently asked questions

Is this Discord bot safe to add?

A Discord bot is reasonably safe to add if it has a real verification badge, requests only the permissions its features need (no unnecessary Administrator), and has a public developer with an active support server and a website. If any of those are missing, or if it impersonates Discord or pressures you to add it fast, don't.

Does the verified badge mean a Discord bot is completely safe?

No. The verified checkmark means Discord checked the developer's identity and the bot passed 75 servers, which is a strong positive signal. It does not guarantee good code or perfect data handling, so you should still review the permissions it requests and the developer behind it.

What permissions are a red flag for a Discord bot?

Administrator is the biggest red flag when a bot's job is narrow, because it grants total control of the server. Watch for any permission that doesn't match the bot's purpose, like a music or welcome bot asking for Ban Members or Manage Server. You can read the full guidance in our post on what permissions to give a Discord bot.

Can a Discord bot steal my account or password?

A properly scoped server bot cannot, because the bot scope only grants permissions inside the server, not access to your login. Account theft happens when a fake "invite" link actually requests OAuth scopes like email or tries to log in as you, or when a DM tricks you into entering credentials on a fake site. Only authorize bots from official sources.

How do I check a Discord bot's permissions after I've already added it?

Go to Server Settings, then Roles, find the bot's auto-created role, and turn off any permission it doesn't use. Use channel overrides to keep it out of private channels, and keep its role below your moderators in the hierarchy so it can't act on higher roles.