As the Developer Marketplace expands and more creators are contributing awesome content, we want to continue to ensure that all of you can have full confidence in using community plugins. Our team has been focused on providing a suite of content security permissions, including Plugin HTTP Permissions and Third Party Sales & Cross Game Teleport Permissions.
Today, we are excited to announce another addition: permissions to control plugins from managing scripts in games. Management of scripts extends to adding or modifying existing scripts in your game’s data model.
How does it work?
The first time that a plugin tries to manage a script in your data model, you will see a dialog message pop up and ask if you would like to grant it permission to do so.
If the permission is denied, the plugin will be prevented from managing scripts in the data model.
If the permission is granted, the plugin will be able to manage scripts in the data model.
At any time, you may navigate to Plugin Management to adjust your settings.
If permissions have been denied for the plugin and the plugin then fails to work, you can use errors in the output window to help yourself troubleshoot.
This will work for published plugins only - if you are working on a script locally, you will need to publish it to be able to test how it behaves on a user’s machine.
Script, ModuleScript, and LocalScript parented to any DataModel - if your Plugin adds a child script in a self-modifying way, then that qualifies.
Source and Parent properties as well as Instance.new(“script type”, inDataModelParent)
There are a number of other efforts for content security across Roblox that are not Studio Plugin specific, and we recognize that developers on the forum who see our announcements like to ask, “I see X exploit so often in Y content type.” We acknowledge and appreciate that kind of feedback, and are working on a number of efforts to improve your experience in parallel with this effort.
Seems great, this can help against a lot of virus plugins. Although wouldn’t it be easier to add an easier way to view plugin source from studio so developers can just vet the code themselves?
This is a great and much needed addition. Too often have I found random scripts in my games with code that inserts Asset IDs when working with other developers.
Thank you! This is definitely a huge step forward for the marketplace and I can’t wait to see more improvements. This will definitely help reduce the amount of malicious content we’re adding to our games and it will feel safer using Plugins, hopefully these type of changes will also be made in our other marketplaces (Toolbox).
This is interesting, however I think it can be expanded on. For example, a plugin could provide a reason as to why it needs to inject scripts. Allowing elaboration would allow plugins to explain why they need to inject, and subsequently allow them to work properly without being blocked.
Overall, I think that this plugin will allow Roblox Studio to be safer, and keep people from having their games ruined by malicious plugins.
This will be really helpful for most developers. Are there any chances to add a “Verified” icon to some of the most used plugins so pirate copies can be prevented too?
I experienced this about an hour before this post dropped. I thought that there was a virus in the plugin, but apparently not.
I am glad that work is being done towards preventing viruses though. I’d recommend doing something like this for models whenever they are added, such as possibly giving a request window for the model to have the ability to implement scripts into the game. There would probably be ways found around it, but it would decrease the likelihood of running into encrypted models.
I’m tempted to install the top ten shadiest plugins I can find and watch the prompts pile up.
But in all seriousness, this is a huge step towards better Studio security, and definitely a big step towards having a safe Developer Marketplace. Can’t wait to see what’s next! Although it seems like malicious plugins might end up doing something like this:
Are there any plans to prevent plugin pirating/fraud, specifically at the marketplace level (before the user even installs it)? All too often copied malicious plugins are botted.
The prompt could be infinitely more helpful if it was identified, at least initially, what exactly the plugin was attempting to modify. This way, developers can be aware of what the script was attempting to do (inject a script or modify) and can decide the permissions for the plugin based on that information.
I also think that the plugin’s permission to modify should be wiped when the plugin is updated. There’s no telling if a plugin may be clean one moment and then be updated maliciously the next, with the permission to modify scripts still remaining and thus putting this back in square one.
Great step towards security but it’d be great if you can add an API that can allow plugins to detect the choice of the permissions modal. If the user denies permission, then plugins can use this to handle it without errors. Plus, the plugin can perhaps interact with the choice, like if the user denies, then the plugin can display a message stating that permissions must be accepted for them to use the plugin.
Also, does this modal appear for every script modification for every NEW plugin or every studio SESSION? If the user accidentally denies (since the button is initially highlighted), then would users have to reinstall the plugin to change their choice?
Not everyone downloading plugins are experienced enough to be able to identify malicious code
This update will definitely help prevent newer (and older) developers avoid getting their games hijacked by bad plugins
As a Roblox instructor, this is a godsend. The first thing I tell my class is “Do NOT insert any free models and plugins from untrusted sources.” I’ve seen more than my fair share of viruses and blue screens in the lab. At least now there’s some form of warning and intervention.
Even if you don’t have experience that doesn’t mean you can’t ask questions, whether it be in #help-and-feedback:scripting-support or asking on Discord or something.
