CardVouch is a user-installable Discord bot for sports, Pokémon, and TCG marketplaces. One slash command tells you whether a DM is from a real mod, a verified seller, or a 12-day-old throwaway account.
A buyer wins a card. A scammer DMs them within seconds, wearing a username that looks like a Mod tag, claiming the ticket service is down. The buyer pays the "middleman fee" — and the scammer disappears.
A buyer makes an offer in the marketplace channel. A scammer DMs them impersonating the seller, accepts the offer, takes payment — and never had the card to send.
Both scams succeed in the same 30-second window: the buyer is excited, the DM looks legitimate, and there's no fast way to check who they're actually talking to. CardVouch closes that window.
This is exactly what a buyer sees when they run
/vouch on the suspicious DM. Click a scenario.
Click Run vouch to see the CardVouch report.
Only you can see this — it's ephemeral in Discord.
One-click via Discord's User Install flow. No bot in the user's server — it's attached to them. Slash commands become available inside every DM they're in, forever.
Someone claims to be a mod, a seller, or a middleman. Username
looks legit. Pressure is high. The buyer types
/vouch right inside the DM.
The bot looks up the suspect in every configured marketplace
guild. Does this user have a trusted role
(Mod, Verified Seller,
Insured)? How old is their account? Are they even
a member of the marketplace?
A risk band (TRUSTED · CAUTION · HIGH RISK · LIKELY SCAM), the signals behind it, and a pre-payment checklist. Total round-trip: about 3 seconds.
/vouch
Returns role status across marketplaces, account age, shared-server membership, and a risk band — in 3 seconds.
/panic
The five things to confirm before sending money. If you can't tick all five, don't pay.
/report
Save the user ID and reason. Share with marketplace mods later. (Optional cross-marketplace shared blocklist in v2.)
CardVouch is open source. Add the bot to your server with View Members permission, drop your guild ID into a config file, and hand your community the install link. Trusted role names are configurable, so it maps to whatever you call your verified sellers and mods.
# 1. Clone the prototype git clone https://github.com/your-org/cardvouch-bot cd cardvouch-bot && npm install # 2. Configure cp .env.example .env # Set DISCORD_TOKEN, CLIENT_ID, MARKETPLACE_GUILD_IDS # 3. Register slash commands (one-time) npm run register # 4. Run it npm start # 5. Share the User Install link from # Discord Developer Portal → Installation
Discord's platform has hard rules. Honesty about them is part of the product.
Discord blocks bots from reading or writing to another user's private DMs. CardVouch works by being invoked via slash command — but it lives in every DM, ready in 1 keystroke.
User-install apps don't get message-content access in DMs they weren't invited into. CardVouch scores from identity signals (roles, age, shared servers) — which is what scammers can't fake.
The bot must be present in each marketplace server to read role data. That's a 30-second invite — and a powerful incentive for marketplaces to differentiate on safety.