This is pretty well written, short and simple, and you’ve pretty much hit the nail on the head. I’d like to note, my script (GameTree) is a little outdated at this point, and I wouldn’t rely on it catching anything recently made due to very common obfuscation techniques now being used. I was thinking about writing a much more advanced plugin sandbox tool to replace GameTree, however I unfortunately am not sure when or if I’ll have time.
On the topic of obfuscated scripts, you can actually view what these scripts do with not too much hassle. You probably will see a lot of weird numbers and backslashes. This is simply a way of rewriting text within a string. Each individual character has its own number, like an id. You can simply copy any text you see and run print with that text in the middle. Additionally, a lot of obfuscated code now uses string.reverse. You can pretty much just copy and paste this exactly how you see it and print it out to see what the text really is.
getfenv is a way scripts can access different, common code with text. For example, getfenv().game will try to access the game instance which is used by code. This also includes certain function, such as require. Using square brackets is a way to simply insert text, or some value from somewhere else instead of typing it normally. This is used in combination with what I mentioned above to hide code.
Here’s an example of what you might see:
getfenv()[string.reverse("eriuqer")](1000*56/10*16)
You may also, like I said, see weird backslashes and numbers instead of something that looks like text. Again, this is just a way of writing text, and in this case it would be used to hide, aka obscure what the script is doing. You can simply take the portion within the square brackets, read to see what you think it’s doing, and simply put it within the parentheses in print(). In this case, assuming you copied everything, you’d see “require” in the output window (which you should generally have enabled, however if you don’t, you can find it in the View tab at the top of studio)
Now, finally, I’ll explain what require is. You may be familiar with what an “asset” is on Roblox. If you’re not, it’s simply something, code, model, place, gamepass, etc that has been uploaded to Roblox. Every asset on Roblox has a unique number given to it. What require does, is essentially it can be given an asset id (the number of an asset) and it can then load that asset (require it) into the game. If that asset meets certain conditions (being a free model with a ModuleScript named MainModule) it can be ran like a script.
The reason that these malicious “backdoors” are inserted into your game is because the owner of those modules can essentially change what code is a part of their module (the thing being required). This allows them to run code on your game just like any script in your game. It also allows them to load in their own asset, code, models, etc without your knowledge. Obviously, you can see why this would be bad.
Hopefully this helps explain what backdoors are, what obfuscation does, and all of that.