Verified / Safe Scripts

This page explains what "verified" Luarmor scripts are. This feature is optional, and you do not have to opt-in as a script developer.

For script developers:

Verified scripts require manual approval by Luarmor owner. Source code will be reviewed by owner and deleted from our systems after obfuscation.

Your data will be anonymized and reviewer will not see who submitted the script.

This will ensure that script does not contain any malware or potentially dangerous code (e.g stealers, rats, ip loggers, reflective code loaders etc..)

Rules & Limitations:

You will not be able to use certain functions and APIs in your code to ensure 100% safety of your users. Using these functions will result in rejection of your script update request. It will not count from obfuscation.

  • Making Requests to Unknown External URLs: E.g ip-api.com, whatismyip.com or any other site that could be used to obtain information about client is not allowed.

  • Sending Sensitive User Information to Webhooks / URLs: You are not allowed to send IP addresses / cookies of your users to webhooks or other URLs. You can still send other stuff like in-game stats, usernames etc. as long as they are not sensitive.

  • Code Loading: You will not be able to use loadstring or any similar mechanism (e.g a lua VM, require) with external & unpredictable sources like pastebin, github, or any other URL. Keep in mind that you can still use these functions if you are loading the code from a local source (e.g readfile, in-game modules) or a string that's hard coded in your script. In some cases, public & known libraries will be allowed through URLs.

  • Creating & Writing Files: You are allowed to write or create files as long as their content is not retrieved from an external & unpredictable source. Also file content must not be malicious or remotely changeable.

  • Potentially Malicious Code: You are not allowed to abuse vulnerabilities within the platform to gain unauthorized access to outside of Luau sandbox. (e.g ACE/RCEs, PC username grabbers, Browser URL openers, RATs, Token loggers etc..)

  • Stealers: Pet stealers, gem stealers, auto traders, robux stealers, cookie stealers etc. are not allowed in Verified scripts.

  • Obfuscated Behavior: If your script contains obfuscated or unpredictable code (e.g accessing functions through runtime-generated names via getfenv, _G, getrenv or similar environment functions/tables, obfuscated code, encrypted strings) your submission will be rejected.

New rules / limitations can be added anytime without notification. Existing rules will not be removed.

For script users:

If a script is "verified", it means it has been reviewed by a human before publishing, and does not contain malicious code.

How to check if a script is actually Verified?

You can also check if loader URL has "/verified/" in it. If you see it, it means that script is a legitimate loader verified by Luarmor. If you don't see it, you can still lookup its ID on check page just to make sure.

cdn.luarmor.net is also a safe domain.

Last updated