Those free models that have a backdoor typically have repetitive descriptions and titles; however, avoiding those free models won’t totally prevent you from getting a backdoor in your game. When inserting a free model, if its a small one, you can check through each child of the model to determine if a script is within it. Usually, the piece of code that’s responsible for the backdoor is hidden within a 100-line script that looks like it consists of empty lines. You should remove those scripts.
For a large model, write a script that iterates through every child within the model and flag the location of the script for manual review.
Note: Run this script within command line. Do not run a game after inserting a free-model with potential backdoor.
Note that legitimate admin commands also may have a backdoor on them. I remember going through a particular famous admin script a long time ago, and it apparently teleported people to a empty base plate game for the purpose of farming tickets in random intervals of time. It looked something like:
game:GetService(string.reverse(“ecivreStropeleT”)):Teleport(…). (which was hidden deep inside the code)
What’s the lesson here? No matter how legitimate the model may look like, you should look at the scripts source code and verify all of its actions, no matter how troublesome that may seem.