It would have to be a LocalScript in startplayerscripts to be effective, then it can just be deleted still from starter player.
Example of what types of scripts can be leaked and what cant:
Script - Always cannot be decompiled.
LocalScript - can be decompiled.
modulescropt - can be decompiled
Can’t the local script create a script, parent it to Workspace and set the source code to the kick script code?
(Almost) Everything that is outside of Server(Storage, ScriptService) and its replicated to client can be disabled, deleted, decomplied.
Yeah, But the local script could be easily removed still.
But if the leaker doesn’t know how to script, they might fall for it?
Server scripts are not able to be read by clients under normal conditions. Assuming this is to protect against leaking the place file (ie; obtained by the game being uncopylocked, etc) you can simply delete the server script.
If you are confident, post an example/template game with this system and set it to un-copylocked and link it here
Yeah, They would.
But keep in mind most map-leakers are experienced scripters, A very small amount are just oblivious to what they are doing.
I’d say the majority of leakers would just be inexperienced people who use some free online leaking software or something.
A even better thing would be a baseplate with all that code in and some user with a script executor or something similar (I am not promoting any exploits here) to test it then, But that may be against TOS though, Dont qoute me on it if it is.
I think you would be able to test the exploits if it’s in a private place that you own and are just testing stuff.
Forgive me for having to leave this conversation for a few hours, I have too much homework.
Good luck discussing this more if you wish
No unfortunately it is still against ToS.
You can just run the scripts in Studio using the command bar. You’d need to have some exploit-exclusive functions emulation with setfenv if the script has any.
Regardless of serverscript position, the source of the script is not replicated to the client. As such, it is impossible for the client to decompile serverscripts, even if placed in the workspace. (ModuleScripts are decompilable though)
It’s also impossible to decompile client-side scripts without Synapse, since it has its own script decompiler.
Alright always good to know thank you for pointing that out but I would still prefer storing my ServerScripts inside Server though.
Other exploits have decompilers as well, however synapse is the most popular (and probably most reliable)
That’s a good idea for code organization and the like, (just thought I’d comment)
I once ran into problem that someone disabled Debounce in ServerScript inside StarterGui (PlayerGui) and that is why I thought it is possible 
.
no that would be a major security risk since exploiters can execute their own localscripts.