Sometimes for commissions, people use their own scripts by doing
require(script_model_id)
Is it possible for a backdoor to but put there, and how can you tell?
If someone, for example, used something like require(83734781)
and the script was super important to the whole game, and I’m not sure if I can trust it, how can I see the contents of that script?
You definitely can’t view the source of it. But, you are able to retrieve its scripts through game:GetService("InsertService"):LoadAsset(AssetId).
https://roblox.com/library/(ID here)/x
Purchase the model, insert it in a game in studio, inspect contents.
Repeat as many times as needed since backdoors/malicious models often have multiple layers of requires.
What if its not purchasable? Like its private…
Yes, this can be abused. Assets can be updated to include malicious code, even if at first it was harmless. If you’re paranoid about this kind of thing, I don’t think it’d be much to ask the person you’re commissioning to not use require(id) but to instead have the require be a ModuleScript in the game.
Offsale/Private module scripts can’t be used in require() so you have no need to worry about that (if it’s offsale/private, it won’t work anyway)
Yes, It can infact be dangerous, Most exploits/viruses use this method and another ones. (Which is a bunch of either hex or utf8 characters)
The best thing you can do like @ItzMeZeus_IGotHacked said, is to Load the asset and check the source code.
If you’re a bit suspicious about who you commission your best bet is to manually insert the modules in the game, review the code, and require the modules path instead of the website id. The website version can become public and get updated at any time, which means whoever owns it have full access of the game.