Bot permissions in Discord look intimidating because they're a 53-bit bitfield. In practice you only need to understand about 15 of them.
The dangerous ones
These give a compromised bot the keys to your server:
- Administrator, bypasses every other check. Never grant unless you wrote the bot yourself.
- Manage Server, change server settings, including 2FA requirements.
- Manage Roles, escalate other users (including itself) to higher roles.
- Manage Channels, create, delete, or change permissions on any channel.
- Manage Webhooks, exfiltrate any future channel content.
- Ban Members + Kick Members, obvious.
If a bot asks for any of these, read the docs and ask: does it really need this for the feature I want?
The "usually fine" set
- Read Messages / View Channels
- Send Messages
- Embed Links
- Attach Files
- Read Message History
- Add Reactions
- Use External Emojis
That covers 80% of what most bots actually do.
The integer
Discord encodes permissions as a 53-bit integer in invite URLs. permissions=8 is Administrator, never invite a bot with that unless you trust the developer absolutely.
A good baseline integer for a non-moderation bot: 414464657472 (read, send, embed, attach, history, add reactions, external emojis).