Is there a comprehensive list of keywords that developers should be looking for? I can’t imagine that the tens of thousands of Roblox developers out there analyse everything they include in a game. Especially in an environment that is largely aimed at kids.
Keep in mind the toolbox is not just for models, we can also get Audio, Mesh’s [Which from what I’m aware of cant contain scripts], decals (textures) and most importantly plugins, so it does have a use still, Though I understand what you mean.
In the tooblox you already have the “high-quality item” mark on some items but sadly ( or stupidly) you can’t make it so you only see those ( and I don’t know how items get this mark , if it’s only with the like/download it could easily be faked )
Well; if you are careful and know which models are suspicious and ones that are okay to use; then you can get around these viruses. For one, don’t look at free models as something to be ashamed of using, unless it is in great mass. They are open sourced and free to use for a reason. Just note that you shouldn’t rely on them, but look at them as a sort of stepping stone into roblox development.
Like @BanTech said, think about it like installing a program on your computer, it’s either what you wanted or a virus.
Luckily, games being totally ruined from free models is rare, and you usually just have ti remove the model, though I don’t think we should just delete the toolbox.
Btw, this is the wrong category.
I’m not an expert but you can find others post about it. The basic one are require and getfenv. basically everything that try to make contact with something else or try to access things it shouldn’t.
How to identify a malicious model here is one that cover the basic
Make sure that the item you are getting isn’t made by a recent account with no avatar customization. Continuing, make sure that the item you are inserting doesn’t have a spammed keyword. Aka, “TREE TREE TREE TREE TREE” or “FROG FROG FROG FROG”. Those usually have file corrupting scripts that can possibly backdoor their way into your PC.
I don’t think those can get in your computer, but either way you shouldn’t use that anyway.
Yeah it’s been patched; but it’s still a possibility if older versions of studio are used.
The toolbox exist for many reasons.
-
They help new developers learn
-
They are easy to access to
Honestly viruses in free models doesn’t do anything to damage your device or anything serious but just to scare you. Viruses are important because you help you learn from past mistakes and to understand. Don’t fear the toolbox but learn from it.
I agree, however I don’t think it’s something you need to be worried about every minute of every day. Generally it’s very basic models and scripts that are used to house these backdoors. Most of the genuinely useful assets that are freely available are from reputable sources, but what sometimes happens is they get cloned by someone else, with a backdoor added, and then as the end user you aren’t sure which one is the original safe one.
It wouldn’t put me off using the toolbox - I just open anything I insert. Everything that gets inserted is also highlighted in the Explorer pane, so I suggest you just take a look upon inserting, confirm it does what it says it does, and if it doesn’t do what it’s supposed to or has something inside that you don’t fully understand, remove it.
Nobody would put something they don’t understand or haven’t checked into anything that is for production and to be monetised, Roblox or not. If I was making a website for a client, I would use libraries and modules where appropriate, but I’d make sure I actually knew what they did and how they worked. I’d never blindly use anything for any real products.
If you’re just starting out on Roblox and aren’t trying to make a full game and monetise it then there isn’t much harm in playing around and learning from the toolbox. Once you’ve learned and know what to look for, these worries occupy very little of your time at all, and you’re probably at a stage where you know enough to be making full games and monetising them.
No, it was never possible to install an actual virus on your computer, it just stayed in studio.
This is nothing new. Every platform has to deal with this. Apple, Google, Microsoft all have learned over time that if you give people the ability to upload executable code eventually someone will use this as an opportunity to spread viruses and exploit vulnerabilities. I can’t say Roblox has done as much as other platforms in this regard but then I don’t really know what they do behind the scenes to combat this.
I’ve certainly downloaded models with scripts in them. These scripts aren’t exactly hidden. You can drill down into any model and see whether they have scripts or not. For the most part scripts are benign and legitimate. I downloaded a tree model that included a script that made the branches and leaves sway as if blown by the wind. But I’ve also encounter game assets with scripts for nefarious purposes. In most cases they are not attempts to compromise a developer’s machine but to introduce hooks into a game that can be exploited once the game is published. Some are intended to allow cheating, others are attempts to inject code that teleports the player to another game, still others are attempts to unlock a game’s premium content without paying.
We’ll use free models, but only if we scan it for scripts first. Almost every script is removed in favor of our own injection points.
Additionally, we’ll scan meshes and CSG parts for unperformant best practices and fix them.
Most reused code is injected via rojo and GitHub, which is much safer.
The toolbox once used to be mostly free of “viruses” because no-one had thought of adding them. It was always possible, before Filtering Enabled, require etc., you could still hide an admin script somewhere. But no-one thought or knew to do it.
One day, someone created the infamous Spreading Fire script. It was a script in a Fire particle effect that spread itself to any parts it touched, the way fire does. It did not destroy any parts and could spread to anchored parts.
Then, someone clueless made the Fire invisible to disable it, instead of deleting it. This made it spread invisibly, without any tangible reason to remove or disable it.
Build Mode was a thing back then, you would enter a game with a character and Studio tools, all scripts were live and you could Publish your place as-is and upload models. People would build something, accidentally contaminate it with the invisible fire (by stepping on it with their burning character) and then proudly upload their new creation to the Toolbox, where others would take it, spread the fire to their own place etc.
This was completely novel at the time, just like the Morris worm was in 1988. All the other viruses - Vaccine, dââââââââng you got owned, Anti-Lag, 4D Being etc. were inspired, directly or indirectly, by this fire script. These would put themselves in a Motor6D or Geometry inside every part so they would be invisible from the Explorer. They are the reason why nothing is invisible in Explorer now (except for most services)
(The Roblox response to this was to blank any scripts that exactly matched any of the viruses. At least that’s what it seemed to be - I’ve opened quite a few scripts named “Vaccine” that were completely empty and useless.)
For a while, all the scripts did was spread. There was no particular target in mind, it was just funny for the creators of them to see how many n00bs were uploading infected models. Nobody even made an admin commands script spread itself!
Then someone was inspired to make the virus scripts clear Data Persistency, create popup GUIs, teleport players, give admin commands, cause seizures etc. and it stopped being just for fun.
From this point forward, the toolbox was unsafe to use.
I have to stress that outright malicious viruses are an invention. Before someone came up with it, it was not done, and after that, it was done very often.
The latest innovation is botting the library with infected copies and intentionally misleading people to download the virus, instead of just letting the virus go loose somewhere.
…
I just wanted to say that the Toolbox exists because it is useful, and once was even fully safe.
The Toolbox is for extremely easily getting an asset for your game, such as a tree that’s nicer than anything you can make or a gun that would take you several hours to make, instantly and with no fuss. It aligns with the ideal of letting you Just Make Things.
The viruses wouldn’t go away if the Toolbox didn’t exist; people would download viruses from elsewhere.
Think about it like when you vet new software for corporate IT rollout.
Let’s say HR wants a new accounting software installed on their computer.
You’d do your due diligence on the company before installing it, to make sure it is safe and reputable. The same applies here. It’s not that you should never use free models - that’s poor advice. It is just that you should do your due diligence on the author, and if applicable the model itself before leaving it in your game.
First, many thanks for that fascinating bit of Roblox history and for taking the time to write it.
I have no expectations of ‘being kept safe’ if I’m searching for and installing products from ‘elsewhere’. That’s on me. However, Dev Studio is a Roblox created and sanctioned product (unless I am mistaken) and, as such, should come with some expectation of quality in whatever is present there. Granted, I’m just another new guy in this Roblox universe, but when you deal directly with a company’s product, you expect that the company is conscious of your safety. Any new dev will look at that toolbox and assume, unless warned otherwise as I was, that what’s there must be safe.
As I mentioned to someone else, there are respected code repositories out there, like GitHub, which you mentioned. The trouble with the toolbox is that it ‘looks’ like a Roblox repository. Every new dev is going to look at that and expect that it’s okay because it’s Roblox. If you need to leave the Roblox repo (or GitHub, per your example) and you choose to download from an unknown site, that’s on you.
The toolbox, even with all the dangers is what helps people learn how to make games.
On import Roblox studio should provide an option to Exclude scripts.