The bot should never be given any mod privileges. That said, someone pulling the oauth to impersonate the bot remains a possibility… Who knows how likely that would be as there really wouldn’t be any gain in doing so, but I guess I could look into user authentication. Probably the safest route and I shouldn’t be lazy. 
Appreciate the reply!