We’ll use free models, but only if we scan it for scripts first. Almost every script is removed in favor of our own injection points.
Additionally, we’ll scan meshes and CSG parts for unperformant best practices and fix them.
Most reused code is injected via rojo and GitHub, which is much safer.
The toolbox once used to be mostly free of “viruses” because no-one had thought of adding them. It was always possible, before Filtering Enabled, require etc., you could still hide an admin script somewhere. But no-one thought or knew to do it.
One day, someone created the infamous Spreading Fire script. It was a script in a Fire particle effect that spread itself to any parts it touched, the way fire does. It did not destroy any parts and could spread to anchored parts.
Then, someone clueless made the Fire invisible to disable it, instead of deleting it. This made it spread invisibly, without any tangible reason to remove or disable it.
Build Mode was a thing back then, you would enter a game with a character and Studio tools, all scripts were live and you could Publish your place as-is and upload models. People would build something, accidentally contaminate it with the invisible fire (by stepping on it with their burning character) and then proudly upload their new creation to the Toolbox, where others would take it, spread the fire to their own place etc.
This was completely novel at the time, just like the Morris worm was in 1988. All the other viruses - Vaccine, dââââââââng you got owned, Anti-Lag, 4D Being etc. were inspired, directly or indirectly, by this fire script. These would put themselves in a Motor6D or Geometry inside every part so they would be invisible from the Explorer. They are the reason why nothing is invisible in Explorer now (except for most services)
(The Roblox response to this was to blank any scripts that exactly matched any of the viruses. At least that’s what it seemed to be - I’ve opened quite a few scripts named “Vaccine” that were completely empty and useless.)
For a while, all the scripts did was spread. There was no particular target in mind, it was just funny for the creators of them to see how many n00bs were uploading infected models. Nobody even made an admin commands script spread itself!
Then someone was inspired to make the virus scripts clear Data Persistency, create popup GUIs, teleport players, give admin commands, cause seizures etc. and it stopped being just for fun.
From this point forward, the toolbox was unsafe to use.
I have to stress that outright malicious viruses are an invention. Before someone came up with it, it was not done, and after that, it was done very often.
The latest innovation is botting the library with infected copies and intentionally misleading people to download the virus, instead of just letting the virus go loose somewhere.
…
I just wanted to say that the Toolbox exists because it is useful, and once was even fully safe.
The Toolbox is for extremely easily getting an asset for your game, such as a tree that’s nicer than anything you can make or a gun that would take you several hours to make, instantly and with no fuss. It aligns with the ideal of letting you Just Make Things.
The viruses wouldn’t go away if the Toolbox didn’t exist; people would download viruses from elsewhere.
Think about it like when you vet new software for corporate IT rollout.
Let’s say HR wants a new accounting software installed on their computer.
You’d do your due diligence on the company before installing it, to make sure it is safe and reputable. The same applies here. It’s not that you should never use free models - that’s poor advice. It is just that you should do your due diligence on the author, and if applicable the model itself before leaving it in your game.
First, many thanks for that fascinating bit of Roblox history and for taking the time to write it.
I have no expectations of ‘being kept safe’ if I’m searching for and installing products from ‘elsewhere’. That’s on me. However, Dev Studio is a Roblox created and sanctioned product (unless I am mistaken) and, as such, should come with some expectation of quality in whatever is present there. Granted, I’m just another new guy in this Roblox universe, but when you deal directly with a company’s product, you expect that the company is conscious of your safety. Any new dev will look at that toolbox and assume, unless warned otherwise as I was, that what’s there must be safe.
As I mentioned to someone else, there are respected code repositories out there, like GitHub, which you mentioned. The trouble with the toolbox is that it ‘looks’ like a Roblox repository. Every new dev is going to look at that and expect that it’s okay because it’s Roblox. If you need to leave the Roblox repo (or GitHub, per your example) and you choose to download from an unknown site, that’s on you.
The toolbox, even with all the dangers is what helps people learn how to make games.
On import Roblox studio should provide an option to Exclude scripts.