the new run context feature has been implemented and i’ve been notified by testers that my game is very vulnerable to exploits. i was considering switching the vulnerable localscript to a server script and implementing it like a server script however a server script with a client run context behaves similarly to a localscript. im wondering if script injection does not detect server scripts with a client run context.
i would playtest it myself but i have no experience in exploiting and will likely get flooded with malware.
A “Script” instance with a Client RunContext behaves exactly the same as a LocalScript in terms of security. The only difference is it will execute anywhere that replicates to the client. E.g. ReplicatedStorage. Whereas LocalScripts only executed within tools, characters, and PlayerScripts.
Whenever anything is sent to the client, always assume it can be exploited. There is no such thing as a safe localscript.
Note: In your title you say a “serverscript with a client runcontext”. This is a little misleading, as a Script is only a serverscript if it has a Legacy or Server RunContext. Otherwise, it is a client script much like a localscript is.