tested it out, works as its supposed to, when are you adding the option to upload assets?
currently, uploading assets is done through our discord server, where people can apply to become a seller. we will add the feature to upload assets directly from the studio plugin, however they will have to be a âverified sellerâ (trusted seller) as the process will make it go directly onto the plugin.
doesnât work. no topbar button
12:07:00.382 Infinite yield possible on âuser_FrostShopPlugin.rbxmx.FrostShopPlugin:WaitForChild(âMainFrameâ)â - Studio
12:07:00.382 Stack Begin - Studio
12:07:00.382 Script âuser_FrostShopPlugin.rbxmx.FrostShopPlugin.Modules.Notificationâ, Line 6 - Studio
12:07:00.383 Stack End
okay, Iâve reverse engineered this plugin, Iâve made my frontend and i just found out the credits are too expensive?
credits are at the base ratio of 1:50 (credit:robux), although it may seem that credits are too expensive, the sellers choose to sell their products for prices that they think are fair. 250 robux for 5 credits may sound like a lot, but keep in mind buying items is cheaper than you think.
how did you fix the yielding issue? (nevermind, this issue has been fixed it was due to a stupid error i made)
try again now, it should defo be fixed.
Can you just make me verified. It always is giving me an error.
Hello, please try again, as it should work now.
this is an obvious malicious plugin, theres so many other ways to achieve getting a table from pastebin that doesnât involve loadstr
2 Likes
âthis is obviously a malicious pluginâ if I were to add malicious scripts into your game, It would ask for the permissions to, as itâs locked behind pluginsecurity. we only use loadstring currently to extract it since I am too lazy to convert it into json, and we will have an api endpoint for the products (returning in json) soon. we will still however need loadstring to be able to load assets, as we serialize products into code when storing them. please read over the source carefully before making these false allegations.
horrible mindset, i understand why people are calling your plugin malicious. this is like saying google doesnât want to patch a potential vulnerability in their websites because theyâre too lazy. being lazy for the security of your customers is not a valid excuse and highlights ignorance.
you can do this if you want but donât complain when people arenât trusting your plugin.
1 Like
this quote speaks for itself, please read my full message before responding.
I think you should convert this plugin to a website for more security. Putting it in a plugin is highly risky and vunerable, just like everyone said. It would make it easier for future updates and would be able to patch alot of vunerable attacks.
1 Like
i agree with this i feel like this should be a website instead there was a website called ToolBlocks but it got shutdown so this would have potential if it was a website
1 Like
shouldâve done that before posting it then, why publish an unfinished product in terms of security??
as I have already said before, inserting a malicious script requires the user to explicitly give the plugin permission to âedit scriptsâ.
What if the pastebin was changed (idk if you can) but if you could then the loadstring could grab a script with getobjects and insert it that way, bypassing the prompt. I would prefer if the pastebin returned a json which could be decoded with httpservice
Is the actual plugin script not already running my guy 
how else would loudstr run then?