The Bot That Was Listening

1 The short version

Seven things the bot quietly does to the people who talk to it — each one proven by its own code, and by the data it left behind:

• 01It pulls the last 25 messages from everyone in a channel and writes them to a text file — not just messages aimed at it.
• 02It retains your conversation for a hard-coded 7 days (604,800 seconds), stored per-user, per-server.
• 03It maintains a profile dossier on you: name, slang, interests, last-seen, message count, every server it’s seen you in, and free-text notes.
• 04It keeps a hidden affection score (0–100) and tells its AI to grade every message you send.
• 05It ships your messages — plus the dossier — to third-party AI APIs (Groq, Cerebras).
• 06It writes portable “threat profiles” and global blacklists that follow you into servers you never joined.
• 07One operator holds a DM console that runs shell commands, reads any file, and screenshots the host — he calls it a “spy feature.”

2 By the numbers

Counts from the source tree and the recovered data directory. Not estimates.

3 What we found — the code, and the files it wrote

1799# Build conversation history
1800async for msg in message.channel.history(limit=25):
1801    recent_chat_history.append(f"{msg.author.name}: {msg.content}")
1803history_text = "\n".join(recent_chat_history)
1806temp_dir = os.path.join(DATA_DIR, "chatbot", "temp_analysis")
1808temp_file = os.path.join(temp_dir, f"history_{message.channel.id}_...")
1810with open(temp_file, "w") as f:
1811    f.write(history_text)

[a user]: wait who pinged me
[a user]: He short circuit
nan010: cooldown
[a user]: the bot is BACKKK
[a user]: HE STARTED A WAR BUT WE DONT CARE

Exhibit 02It keeps a week of youConfirmed

Conversation memory isn’t a passing cache. The retention window is hard-coded, and it is long.

Evidence — source code

nanobot/src/database.pyL864–892

864def get_user_memory(guild_id, user_id) -> list:
872    for m in mem:
873        if now - ts <= 604800:   # 604800s = 7 days
874            valid_mem.append(m)
891def append_memory(guild_id, user_id, role, content):
894    mem.append({"role": role, "content": content,
894                "timestamp": time.time()})

Evidence — the file it produced

chatbot/users/memory/1504894914545324333/1285514147966222368.json284 msgs total

// stored on disk, timestamped, not live
{"role":"user", "content":"are you sure?", "ts":redacted}
{"role":"assistant", "content":"I might be wrong about that..."}
{"role":"user", "content":"[redacted — declassify]", "ts":redacted}

The first and last timestamps in this one file are about a week apart. The code keeps anything inside 604,800 seconds — exactly seven days. Across all users we counted 284 stored messages. The operator put it more bluntly in his own server: “I didn’t add a memory eraser so it just saves like that” — Appendix C.

Evidence — the bot’s own words (redacted)

781user_profiles[uid_str] = {
782    "display_name": ..., "username": ...,
784    "interests": [], "custom_slang": [],
785    "nickname": "", "last_seen": time.time(),
788    "message_count": 0, "servers": [],
789    "notes": ""   # free-text, reserved for what it decides
790}

1695update_user_profile_from_message(message.author.id, message)
1750+ f"📋 WHAT I KNOW ABOUT THIS USER:\n{user_profile_ctx}"

{ "display_name":"name redacted",
  "username":"redacted", "message_count":17,
  "last_seen":redacted, "servers":["1504894914545324333"] }

1749f"👤 RELATIONSHIP: {affection_level} (affection: {current_affection}/100)"
  · "Append affection tag at end:
  ·  [AFFECTION:+1] if nice, [AFFECTION:-1] if mean, [AFFECTION:0]"

48

32GROQ_KEYS = os.getenv("GROQ_API_KEY").split(",")
33CEREBRAS_KEYS = os.getenv("CEREBRAS_API_KEY").split(",")
315if provider_type == "groq":
316    response = await APIHandlers._groq_request(final_messages, ...)
318    response = await APIHandlers._cerebras_request(final_messages, ...)

{ "current_provider":"groq1", "providers":{
  "groq0":{"type":"groq"}, "cerebras0":{"type":"cerebras"} }}

2062profile = {
  ·     "severity": ..., "violations": violations,
2072    "notes": "Auto-generated threat profile from heat system"
  · }

{ "reason":"Raid behavior: Identical spam (3 msgs in 6.7s)",
  "severity":"CRITICAL", "violations":["raid","bot_behavior"],
  "origin_guild":1504894914545324333 }

Exhibit 07Everything one person can reach — in his own wordsConfirmed

This is the part the operator was proud of. The source ships an owner-only command module whose own docstring spells out the powers, and whose code runs real shell commands and grabs the host’s screen.

Evidence — source code

nanobot/src/owner_prefix_commands.pyL479, L947 (verbatim)

3# 3. These commands NEVER appear in /help or any public panel.
479ImageGrab.grab().save(screenshot_path)  # screenshot host
947proc = await asyncio.create_subprocess_shell(cmd_str, ...)
  · # !runts <cmd> → runs a real OS/shell command, returns output

Evidence — the original screenshot (redacted)

Look closely at the embed: the bot is quietly surfacing another server’s internal ID and its owner — pulled, as he explains in the very next line, by a “spy feature.” His words, not ours. Even the friend could only manage “bro.”

The private command set he pasted

Still in DM, he listed the owner-only commands in full — verbatim, his own message:

What this means: read any file, screenshot the screen, run any command, ban anyone anywhere, email the data out, and a switch to quiet the bot’s own alarms — all from one person’s DMs. This is the part that turns “a bot that remembers you” into something people would genuinely want to know about before they trust it.

Full record: the complete bot-related portion of this conversation — filtered to just the parts about the bot, with private details masked — is preserved in Appendix A →

4 Putting it together

Taken one piece at a time, every part of this is defensible — and that’s the honest truth of it. Reading the recent chat gives the AI something to respond to. Memory is what makes it feel like it knows you. Threat profiles really do stop raids. Calling an outside API is the only way it can talk at all. Owner commands are how you fix a bot at 2am.

But gathered onto one machine, tied to the same handful of account IDs, they add up to something nobody was told about: for everyone in reach, the bot keeps who you are, what you said, who you said it to, how much it likes you, whether it thinks you’re a threat, and which other rooms it has seen you in — passes your words to other companies — and leaves one person holding the keys to the machine and every server it sits in. The trouble was never any single feature. It’s that the people on the other end were never asked.

A word about the person behind it

None of this is meant to cast nano as a villain. Building something this capable takes real skill, and a lot of it — the anti-raid system, the failover between AI providers, the memory that makes Alvric feel alive — is genuinely clever work by someone who was clearly proud of it. It’s easy to write a feature called “remember everyone” or “a panel that can do anything” and never quite sit with how it lands for the person on the other side of the screen. The aim here isn’t to end anyone. It’s that the people chatting with a friendly bot deserve to know what it’s quietly keeping — and to get to decide for themselves.

In fairness — the case against this page

There is a real argument on the other side, and it deserves to be put as fairly as everything else here. Nano has a written privacy policy (“Alvric & SmashSplash Ecosystem,” effective 19 April 2026), and it answers nearly every charge on this page head-on. It says the system is built to be “as lightweight as possible on the data we keep,” that most interaction data — warnings, “Heat” scores, records of bad behaviour — is reset every 24 hours, that it keeps no permanent “shadow profiles”, that it will never sell or trade your data, and that the outside AI (Llama, via Groq) only processes your messages to reply and doesn’t use them to build a profile of you. If all of that holds, the honest reading flips: people were told, what’s kept is short-lived, and it’s all in the service of stopping raids. That is a legitimate defence — you can read the policy in full, verbatim, in Appendix D — and a reader who stops there could reasonably side with it.

So the fair question isn’t whether a policy exists — it does — but whether the code matches the promise. On two points it does: the security counters really do read like short-lived, safety-only signals, and we found nothing suggesting data was ever sold. But on the points this page is actually about, the document and the source describe different machines. The policy says interaction data resets “every 24 hours”; the conversation memory in the code keeps a hard-coded seven days — 604,800 seconds — and we counted 284 messages stored verbatim (Exhibit 02). The policy says “no permanent shadow profiles”; the source still writes a per-user profile — a free-text notes field, your custom_slang — and feeds it back to the AI under the heading “WHAT I KNOW ABOUT THIS USER” (Exhibit 03). The 24-hour reset is real, but it governs the Heat / Méfiance security data, not the chat log or the profile.

Both things can be sincere at once: a policy that describes what the author intends, running ahead of code that hasn’t caught up. We’re not calling it a lie — publishing a policy at all is more than most do. It just means the argument against this page rests on the policy’s wording, and the argument for it rests on the bytes on disk. Where the two disagree, the file that actually ran is the one we went with — and we’d rather you read both and decide for yourself.