tl;dr I made a discord bot that can run python code written directly in discord.
Hi guys, I recently started tinkering on my "old" discord bot again.
Initially I built this bot just to test the discord python API (that's why it has no real function, just cobbled together something.) to add and retrieve quotes.
Later on I read something about web-scraping and remembered my little bot... so I added a scraping function to get lyrics from "songtexte.com".
Let's finally get to the security nightmare.
I am running the python script in a docker container on my NAS and one time while not having access to the NAS directly, I wanted to check the quotes.json file to see if the quote was saved correctly.
That's when I had the idea, that it should be fairly easy to execute a python script from another python script (turns out it is) to add debugging options or retrieve some information I hadn't yet thought about.
To begin with I thought about adding functions like 'ls' or 'cat' which will simply call the corresponding system functions but what's the fun in that.
Then I thought about calling a python script which pipes its output into a file, which in turn can be sent to discord by the bot and that's exactly what the bot does now.
And that's why my bot can now be used to call whatever system call you can think of.
If you interested in checking it out, you can find it here: