Can my script be hidden with script.Parent = nil?

I recently found a way to hide my localscripts, and prevent them from being deleted by an exploiter, this would be by doing

script.Parent = nil

however, I do have one question in mind which I’m really not sure about the answer to this…

Can my script be bypassed by exploiters?

I know exploiters can do getnilinstance (only works on some executors like synapse), find the script, and delete it but my script also changes its name every second. i had an exploiter friend do a test, but when he executed, the script never deleted and he still got kicked

i also added

while RunService.Heartbeat:Wait() do

inside my script

My script actually does work, I’m just concerned weather or not exploiters can bypass this. if you have any idea, it would be very appreciated, and apologies for my stupidity, i am very new to this stuff lol

(Also want to mention, I know i shouldn’t trust the client, and i usually do checks on serverside too, but I want to run these tests on the client, prevent them from destroying things in workspace, etc. and maybe if it works, add it to my game.)

1 Like

Pretty much every single popular executor has getnilinstances or some derivative of it. Doesn’t matter if you change the name, doesn’t matter what you do in the script. If it’s on the client, it will be bypassed.


yeah but that is my question, how will it be bypassed? I know it can be bypassed and there is a way, i just want to know how a player can bypass it if its in nil so i can possibly improve it or something like that

That’s basically destroying the script. A solution is just to keep it in server script service.

If the client has access to it their is no way to prevent them from bypassing it. Your best method is to try and handle as much on the server that is critical to your game.

There are a million and one ways. One way could be overwriting all the globals in your specific script to cause it to error and stop. Another way would be to change the constants in the script to also error and stop, or even behave like it’s not supposed to. Users can also cause :Wait() or any other function call done in the script to either error or yield indefinitely by replacing it.

1 Like

I just realized how I can mess with variables/globals and things like that, can I also down-right physically do something to the script instead of just yielding it…? I’m also curious how I can possibly yield it (what script would an exploiter use to mess with my variables?) I know how my variables/globals can be messed with, but how will they even be able to do it? would be nice if you can tell me that too

I would recommend disabling it then moving it to ServerStorage or ReplicatedStorage. Keep in mind that ServerStorage is more secure, but you are attempting to use client code. Either way, there’s gonna be a security issue and, unfortunately, there’s not much you could do about it. It’s simply a problem with using Roblox as a development platform.

Functions such as getsenv, getrenv, and every derivation used tends to mess with global variables somehow. getupvalues is generally used to reach upvalues (which are your locals) in scripts to mess with them. getconstants works similarly but for the constants for specific functions. Yielding can be done simply via coroutine.yield, too. No way to get around them, really.