Dangerous Models, or why does the toolbox even exist?

I’m new to Roblox coding and game design, but I’ve worked in IT for many years doing development, security, and sysadmin work, so let’s say I’m not a total noob when it comes to this world. That said, I humbly accept that I have a lot to learn when it comes to Roblox speficically, and that knowledge is coming with some frustration, especially when it comes to security. I’m told that I should never use community models because of the possibility that somebody has inserted some dastardly piece of code in the shape of a script that would qualify as a Roblox virus, whatever that is. If these concerns are true and that every model in the toolbox needs to be viewed as a potential landmine, then what is the point of the toolbox or of even having a shared development resource? If every model is a gateway to security hell, how is any developer, new, intermediate, or experienced, supposed to trust what’s out there? Do we need to view everything with an eye towards exposing ourselves to some nefarious hidden purpose? In short, why would Roblox even allow people to share models, etc, if it’s so freaking dangerous? How can I stop worrying and just start coding?

2 Likes

You’re asking why anything is ever open-source and freely available.

Nothing is ever without risk. You should never blindly use anything - whether it’s on this forum or the toolbox or Google.

Same as installing a program on your computer and using it.

Maybe Roblox could have a vetted models category that were not free to cover the cost of manually reviewing each one, but the best method is to teach people of the risks, let them know what to look out for, and provide methods of reporting bad actors and malicious models.

I think saying “never use free models” is an exaggeration. Many of us learned by dissecting these models and learning about their good and bad points - it’s certainly where I started on the platform in terms of scripting. “Use free models with caution” is a better warning.

4 Likes

Well it’s a bit complicated but the toolbox is good for some things. You can trust models that roblox made and for other model you can just search if there is a script inside. If there is one ( in a table model for example which doesn’t make sense ) just delete it and keep the model. For other model that have a script because it needs one, ctrl + F for dangerous things like getfenv or require ( there are others )

Except that any model with any kind of animation whatsoever is going to have a script inside. Should every single model go through a code review?

Hello there! The toolbox can be used in tons of ways! You can decode objects, such as guns, in order to learn how they work. Or if you want to try a concept such as moving a car, but don’t want to build one, so you just use the toolbox car. Toolbox is not recommended for permanent projects though.

First, I would happily support a “vetted” category. As for open source, I’ve worked in open source for the more than twenty years and while security issues exist, it’s not something that the community worries about every minute of every day. There are many respected projects out there, and respected devs. Perhaps Roblox should have ‘vetted developers’ as well as ‘vetted models’.

2 Likes

Doing the ctrl + F on every keyword that shouldn’t be in a model is good I think and enough. Also checking if there isn’t infinite loop that crashes the game and things like that ( I don’t know why people make those it’s useless for them but still happens… ) . I don’t know why roblox doesn’t do that but yeah model should have code review

Is there a comprehensive list of keywords that developers should be looking for? I can’t imagine that the tens of thousands of Roblox developers out there analyse everything they include in a game. Especially in an environment that is largely aimed at kids.

Keep in mind the toolbox is not just for models, we can also get Audio, Mesh’s [Which from what I’m aware of cant contain scripts], decals (textures) and most importantly plugins, so it does have a use still, Though I understand what you mean.

1 Like

In the tooblox you already have the “high-quality item” mark on some items but sadly ( or stupidly) you can’t make it so you only see those ( and I don’t know how items get this mark , if it’s only with the like/download it could easily be faked )

Well; if you are careful and know which models are suspicious and ones that are okay to use; then you can get around these viruses. For one, don’t look at free models as something to be ashamed of using, unless it is in great mass. They are open sourced and free to use for a reason. Just note that you shouldn’t rely on them, but look at them as a sort of stepping stone into roblox development.

Like @BanTech said, think about it like installing a program on your computer, it’s either what you wanted or a virus.

Luckily, games being totally ruined from free models is rare, and you usually just have ti remove the model, though I don’t think we should just delete the toolbox.

Btw, this is the wrong category.

1 Like

I’m not an expert but you can find others post about it. The basic one are require and getfenv. basically everything that try to make contact with something else or try to access things it shouldn’t.
How to identify a malicious model here is one that cover the basic

Make sure that the item you are getting isn’t made by a recent account with no avatar customization. Continuing, make sure that the item you are inserting doesn’t have a spammed keyword. Aka, “TREE TREE TREE TREE TREE” or “FROG FROG FROG FROG”. Those usually have file corrupting scripts that can possibly backdoor their way into your PC.

I don’t think those can get in your computer, but either way you shouldn’t use that anyway.

3 Likes

Yeah it’s been patched; but it’s still a possibility if older versions of studio are used.

The toolbox exist for many reasons.

  • They help new developers learn

  • They are easy to access to

Honestly viruses in free models doesn’t do anything to damage your device or anything serious but just to scare you. Viruses are important because you help you learn from past mistakes and to understand. Don’t fear the toolbox but learn from it.

I agree, however I don’t think it’s something you need to be worried about every minute of every day. Generally it’s very basic models and scripts that are used to house these backdoors. Most of the genuinely useful assets that are freely available are from reputable sources, but what sometimes happens is they get cloned by someone else, with a backdoor added, and then as the end user you aren’t sure which one is the original safe one.

It wouldn’t put me off using the toolbox - I just open anything I insert. Everything that gets inserted is also highlighted in the Explorer pane, so I suggest you just take a look upon inserting, confirm it does what it says it does, and if it doesn’t do what it’s supposed to or has something inside that you don’t fully understand, remove it.

Nobody would put something they don’t understand or haven’t checked into anything that is for production and to be monetised, Roblox or not. If I was making a website for a client, I would use libraries and modules where appropriate, but I’d make sure I actually knew what they did and how they worked. I’d never blindly use anything for any real products.

If you’re just starting out on Roblox and aren’t trying to make a full game and monetise it then there isn’t much harm in playing around and learning from the toolbox. Once you’ve learned and know what to look for, these worries occupy very little of your time at all, and you’re probably at a stage where you know enough to be making full games and monetising them.

No, it was never possible to install an actual virus on your computer, it just stayed in studio.

2 Likes

This is nothing new. Every platform has to deal with this. Apple, Google, Microsoft all have learned over time that if you give people the ability to upload executable code eventually someone will use this as an opportunity to spread viruses and exploit vulnerabilities. I can’t say Roblox has done as much as other platforms in this regard but then I don’t really know what they do behind the scenes to combat this.

I’ve certainly downloaded models with scripts in them. These scripts aren’t exactly hidden. You can drill down into any model and see whether they have scripts or not. For the most part scripts are benign and legitimate. I downloaded a tree model that included a script that made the branches and leaves sway as if blown by the wind. But I’ve also encounter game assets with scripts for nefarious purposes. In most cases they are not attempts to compromise a developer’s machine but to introduce hooks into a game that can be exploited once the game is published. Some are intended to allow cheating, others are attempts to inject code that teleports the player to another game, still others are attempts to unlock a game’s premium content without paying.

1 Like