The Discord Bot

← Notes

I wanted to run workflows on my Mac mini from my phone. Not through an SSH app, not by remoting in. I wanted to type a sentence and have the machine do the work.

So I built a Discord bot. It connects to Claude's API and gives Claude shell access to the machine. I send a message in Discord, Claude interprets what I'm asking, decides what commands to run, executes them, reads the output, and keeps going until the task is done. An agentic loop with my Mac mini as the runtime.

The interesting part is what I didn't build. I didn't write an email integration. I didn't write a file manager. I didn't build Notion syncing. I gave Claude a terminal and it figured out the rest. It sent emails through osascript and Mail.app. It read and wrote files. It ran Python scripts. Three npm dependencies, zero hardcoded workflows.

The architecture is simple. Discord.js opens an outbound WebSocket to Discord's gateway. Messages come in over that persistent connection. The bot checks if the sender is me (owner-only auth), then hands the message to Claude with four tools: run a shell command, read a file, write a file, list a directory. Claude decides what to do, calls tools in a loop (up to 20 turns), and the final response gets posted back to the Discord channel.

Permission scoping was the part I spent the most time on. The bot can execute arbitrary commands, which means it needs guardrails. I built a destructive command blocklist that catches patterns like rm -rf, kill -9, shutdown, and piped curl. When Claude tries to run something flagged, the bot posts a confirmation message with reaction buttons. I have 30 seconds to approve or it cancels. The blocklist is a speed bump, not a wall. The real security boundary is the owner check.

One week after I finished, Anthropic released Remote Control. It does what my bot did, directly from the Claude app on your phone. I use it now. The bot is retired.

I'm genuinely glad they shipped it. Maintaining a custom bot that handles WebSocket reconnections, process management (pm2, sleep disabled on the Mac mini so it stays available 24/7), and security scoping is a real maintenance load. A first-party tool that handles all of that means I can focus on the workflows instead of the infrastructure.

What I kept is the understanding. I now know how Discord's gateway works, how an agentic tool loop executes in practice, how to scope permissions for an AI with shell access, and why giving a model access to a terminal is both more capable and more dangerous than building individual integrations. Every time I work with an agent framework now, I can reason about what's happening underneath because I built the plumbing myself.

The bot crashed 47 times during development. Each crash was a lesson the documentation didn't cover.