Skip to main content
The Internal Anti-Nuke cog protects against bot token theft. If an attacker obtains the bot’s token and sends API requests directly, those requests appear in the guild audit log attributed to the bot but have no matching authorization window — triggering an immediate guild leave.

Authorization Windows

The cog maintains four types of authorization windows. Any match is sufficient to authorize an action:
WindowDurationDescription
Task windowDuration of taskA recognized background task (e.g. sync_bans_task) is actively running. Covers all guilds globally while active.
Owner window5 minutesA bot owner ran a command (prefix or slash, including jishaku) in this guild. A guild ID of 0 acts as a global owner window covering every guild simultaneously.
Command window60 secondsAny non-owner command was invoked in this guild.
Join window10 minutesThe bot just joined this guild, covering the flood of auto-bans and role creations during on_guild_join.

Monitored Audit Log Actions

The following actions are monitored. If the bot performs any of these outside an authorization window it immediately leaves the guild:
  • ban
  • kick
  • unban
  • channel_delete
  • role_delete
  • guild_update
  • webhook_create
  • webhook_delete
  • bot_add
Actions such as role_create, role_update, channel_update, member_update, and invite_create are not monitored because the bot performs them legitimately and frequently (quarantine setup, mute roles, etc.).