Hierarchy Saver - Convert Roblox Instances to Clean Luau Code

Description:

Hierarchy Saver is a free and open-source plugin that exports your Roblox instance hierarchies into clean, readable Luau code.
Built by @Yarik_superpro, it supports customization, formatting control, macros, DSL dialects, and more - making it ideal for plugin authors, framework devs, and anyone building reusable content pipelines.

Perfect if you want to treat hierarchies like code, generate UIs, replicate runtime structures, or just ditch manual rework.

Downloads

• Roblox Marketplace:
  https://create.roblox.com/store/asset/122426584119143/Hierarchy-Saver
• GitHub (Source Code):
  GitHub - YarikSuperpro/HierarchySaver

Features / Supports

• All Roblox instance datatypes (Vector3, Color3, UDim2, etc.)
• Meshes (MeshPart & SpecialMesh support)
• Unions (UnionOperation & IntersectionOperation)
• Advanced customization (indent, tabs, formatting, dialects)
• Macro system for reusable patterns and conditionals
• Recursive & linear hierarchy references (ObjectValue etc.)
• Register limit handling via upvalue imports
• UI/Instance DSL support (Nestify-style syntax)
• Dialect system for framework compatibility
• Fully open-source — no bloat, no paywalls

Nestify Framework:

Demo

Watch it in action:

Data Removal/Backup

image731×113 11.9 KB

Enable Manage Attribute to get access to data management

image611×545 42.5 KB

How to use _base format:

It only supports property and attributes and tag matching, so be aware:

return {
	Smooth = {
		Name = "Part";
		_exec = {
			SetAttribute = {
				Hello = true
			};
			AddTag = {"Yeah"};
		}
	}
}

Result:
Object having Name “Part”,attribute “Hello” being true and containing tag “Yeah” will be given _base “Smooth”.

Donations

(Just buy some clothing if you want to support me)

The creator hub link doesn’t work (probably not public?)

Roblox auto moderation took it down.
Dont worry i had already sent appeal; For now you can get rbxm file from github and put it as a local plugin.

guys
guys
guys

do we all see where this is going

image1280×720 51.5 KB

Hello can you please not be offtopic in my post?
Thanks.
Also what do you mean by “do we all see where this is going”?

okay, let me uhhh
let me make it clear real quick

so this is a “instance/object to code/script” converter

that all in all, is a fantastic tool
slight issue

MOST of the use is going to be malicious
why? because exploit makers use SCRIPTS to generate UI and you have made this about 20 gajillion times easier to do that since its literally make the ui using the studio available tools and then just convert it

10/10 plugin, better not get into the wrong hands though

How exactly?
It works only inside studio so exploiters wont be able to do anything.

There is already similar plugins but they are lacking a lot of features and are paid.
Etc example: Codify - Convert anything to Luau, TypeScript, Vide, Fusion, React, Rojo and more!

i think you missed the point, which is understandable

what i meant, is exploit makers create ui for their “exploit HUBs”, and this ui, generally, takes a lot of time to create because its written by hand, and they have to playtest each time to make sure its fine
the thing is, exploit creators will go into studio, make the ui IN studio, use your tool (which is free and accessible to anyone, not inherently a bad thing) to convert it into code, and then voila
the exploit hub ui has been generated in minutes

then, they script/program the rest of the exploit and just throw the converted ui code in there, and boom
you now have an exploit hub ready to inject into whatever game youre trying to do that in

i hope i explained it well

Exploiters already have DSL/Ready libraries to do that and more over they are minority anyway.
Majority of people who write UI code for their games either use fusion or other frameworks/plain luau and they do suffer from writing it all manually too and unlike exploiters they are majority.

i guess that is true, but my main concern was just that your tool was free and well, just really accessible to anyone out there so that’s why i pointed out something i saw as a possible problem

also its been a hot minute since ive actually had a civilized discussion with someone

image2559×1439 388 KB

Hey, unable to get the plugin. Sounds really useful though, can’t wait for it to be available!

Edit, I JUST saw your post about it getting moderated. I’m wondering if it uses a function that Roblox doesn’t like?

It uses _G to store classes data and HTTP service to get API dump.
Idk why would AI moderation flag it.

Idk its gonna heppen in like never probably.
Roblox appeal system doesnt work at all and im pretty sure humans no longer review it but “Stuipid Parser” instead.
I really hate how roblox is putting useless AI to review appeals now.

Seems useful, good work.

Are you okay if I run the source zip through ChatGPT? Maybe an AI will understand what another AI disliked.

yeah sure.
You can do anything you want with it aslong as you dont violate the license im fine with it.

Okay, ran the zip file through ChatGPT. Here’s what it responded with (also why is it annoyed by HTTPService? Roblox literally has a permission category for HTTPService.)

Nice — I unpacked the ZIP and scanned the plugin source. Short answer: yes, there are a few things that could trigger Roblox moderation or at least raise security flags. I’ll list the specific red flags (with file references and short excerpts) and give concrete fixes/mitigations you can apply.

Top moderation / security red flags

1) Programmatic script creation + automatic editing (script injection)

Where: HierarchySaverMain.luau and src/Hierarchy_Saver.luau (multiple places)
What I found: the plugin creates Script instances, puts them in the DataModel, opens them using ScriptEditorService:OpenScriptDocumentAsync, then programmatically edits their contents with ScriptDocument:EditTextAsync. Example behavior sequence:

• Instance.new("Script") → Selection:Set({script}) → ScriptEditorService:OpenScriptDocumentAsync(script)
• ret:EditTextAsync(...) (programmatically writes to the script editor)

Why this’s risky: plugin-created scripts that are filled/modified automatically are exactly the sort of “script injection” behavior that moderation and users are wary of — it can be used to plant code in a place and automatically run it. The code even contains a warning message: “No script access. Please give script injection access.” which confirms it expects elevated editing permissions.

Suggested mitigations:

• Require explicit, visible user consent before inserting or modifying any script (e.g., show a dialog with a clear confirmation button, and don’t proceed without it).
• Prefer producing the generated code in a safe way the user can inspect and paste themselves (e.g., copy to clipboard, show a preview window with an explicit “Insert into new script” button the user must press).
• Log/annotate any inserted code with a clear comment header like -- Inserted by Hierarchy Saver (date, user) so it’s obvious what changed.

2) Self-destruct / hiding module script

Where: src/Children/SharedSettings.luau (top of file)
What I found: a call that schedules destruction of the module/script:
task.defer(game.Destroy, script) — this will call Destroy with script as self, effectively destroying the module/script instance at runtime.

Why this’s risky: destroying your own module (or otherwise removing code at runtime) is often used to hide behavior from users and moderation reviewers. That’s a strong red flag — it looks like an attempt to remove or hide source code after execution.

Suggested mitigations:

• Remove self-destruction. Keep module scripts intact so users and moderation can inspect them.
• If you want to avoid leaking internal tables, return only the necessary table and do not delete the ModuleScript object.

3) External HTTP requests

Where: HierarchySaverMain.luau and src/Hierarchy_Saver.luau
What I found: several pcall(HttpService.GetAsync, HttpService, "<raw github url>") calls to fetch an API dump from GitHub (API-Dump JSON). The plugin also stores/loads JSON via plugin settings.

Why this’s risky: external requests from plugins are monitored; fetching remote code or data without clear disclosure can attract attention. If the plugin pulled executable code or untrusted assets, that would be a red flag.

Suggested mitigations:

• If you must fetch remote data, document it clearly and prefer fetching non-executable, read-only metadata (no code).
• Prefer bundling required static resources with the plugin or let users opt-in to “update from remote” explicitly.
• Don’t load or execute strings fetched from remote sources.

4) Use of InsertService (asset insertion)

Where: SharedSettings.luau and other code paths reference InsertService / AssetService.
What I found: plugin can create MeshPart via InsertService (there’s a UI setting CMPAsyncService choosing InsertService vs AssetService).

Why this’s risky: inserting remote assets may load user-supplied or moderated assets. Automatic asset insertion should be explicit and transparent.

Suggested mitigations:

• Default to safer methods (AssetService) or require user confirmation for inserting remote assets.
• Make it clear what asset IDs/URLs will be used.

5) Programmatic destruction of Instance objects

Where: many :Destroy() calls across the codebase.
What I found: plugin routinely destroys UI objects and created Instances — not inherently malicious, but combined with other behavior (creating and destroying scripts) it increases suspicion.

Suggested mitigations:

• Keep destructive operations user-initiated and documented.
• Avoid destroying user-owned objects unless user explicitly requests it.

6) Use of global table _G for cache/state

Where: multiple files (_G.__classesData usage).
Why this’s risky: globals are not a moderation problem per se, but they can cause persistence across plugin runs and conflict with other plugins. Not a direct red flag, but worth replacing with plugin settings or scoped module caches.

Overall assessment & likelihood of moderation attention

• High-likelihood flags: self-destructing module script (task.defer(game.Destroy, script)) and automatic script injection/editing (ScriptEditorService + EditTextAsync) — both are behavior that moderators and trust systems scrutinize. The self-destruction is particularly suspicious.
• Medium-likelihood flags: external HTTP calls to fetch resources (acceptable when fetching non-executable JSON but must be documented), InsertService usage when unprompted.
• Low-likelihood flags: _G use, :Destroy() on UI / temp objects, general file structure.

If moderation inspects this plugin, the two things most likely to cause rejection or removal are the self-destruct and the automatic editing/insertion of scripts.

Concrete changes I recommend (priority order)

1. Remove task.defer(game.Destroy, script) immediately — never self-delete ModuleScripts. Keep source visible.
2. Stop silently writing into scripts. Replace programmatic injection with an explicit user action:

• Show the generated source in a preview window and a clear “Insert into new script” button that the user must click.
• Or copy the generated code to the clipboard and show instructions for pasting into a script.

3. Add clear UI/consent for network/API calls and asset insertion. If you fetch remote JSON or insert assets, show a confirmation and explain what will be fetched/inserted.
4. Audit any place you modify or destroy user-owned Instances or scripts and make those actions require explicit user consent.
5. Replace _G caching with plugin:GetSetting()/SetSetting() or a module-local cache so state isn’t globally shared."

CHATGPT, ROBLOX DOES THIS ALREADY!!!

But in all serious, try dropping the use of __G. Maybe Roblox will be less fussy bout it?

Ok thanks
I probably did referance InsertService when debugging and that causing that.
Destroying script could also be cause of it.
Even through it would create memory leaks otherwise i probably should experement with that.
Overall thanks for analisis i will try to figure it out.