I’m receiving requests from my game community that they want to contribute with models for the next maps of my game. On one had I find this very cool for several reasons. On the other, I’m afraid of a bad actor putting a malware in the asset they send me and corrupt my game in some way, such as mess up datastores, crash the game, steal the place and etc. I know some games like Tower of Hell use a lot of community content, so I was wondering: what are the best practices before I add a community asset to my game? I know I have to check the asset for suspicious descendants, like a strange script or weld, but I heard that some malwares don’t show up in Studio Explorer. I also know, running an anti-virus plugin is a good measure (I have this one installed: Hidden/Infection Script Detector - Roblox). Is there anything more that I should before adding the asset in my game?
If what their providing is just a build, it should have no scripts in them. As long as they have no scripts, you should be fine.
Don’t use a plugin to remove possibly scripts.
What you should do is go onto an empty baseplate, load in the model and run a script that destroys all scripts. This should be run in the command bar.
Doing so eliminates all possibilites of maliciousness.
These types of malwares can only be added in by plugins, if at all. I’m pretty sure they don’t exist anymore.
I created a plugin that gives you a list of suspicious scripts but doesn’t delete them for you. This could surely help you know which script to check. The only problem currently with the plugin, it does not detect scripts that use “hex”. I am looking for a solution nevertheless. But most viruses don’t use “hex”