-
Notifications
You must be signed in to change notification settings - Fork 0
Security and Safety
OpenLuaTools downloads and copies files, so safety checks are important.
OpenLuaTools extracts downloads into a temporary plugin directory before copying files into Steam or game folders.
The safety layer rejects:
- Empty archive paths.
- Absolute paths.
- Windows drive-rooted paths.
-
.or..path segments. - Duplicate slash path segments.
- Unsafe path characters.
- Files that escape the extraction directory.
- Copy destinations that escape the allowed root.
For OpenSteamTool Lua scripts, OpenLuaTools expects app ID based filenames:
<appid>.lua
Unexpected Lua filenames are skipped.
Manifest files must match a numeric manifest filename format:
<digits>_<digits>.manifest
Unexpected manifest names are skipped.
External URLs must use http:// or https://.
URLs with unsafe characters are rejected before they are opened or downloaded.
When applying helper/fix archives, OpenLuaTools validates that copied files remain inside the selected game install path.
Even with this protection, users should:
- Back up modified files.
- Use trusted sources only.
- Avoid running unknown scripts.
- Scan archives when appropriate.
- Verify game files if something breaks.
Never share:
- API keys.
- Steam account tokens.
- Private logs with personal paths.
- Screenshots showing keys or tokens.
When reporting bugs, redact sensitive values first.
OpenLuaTools documentation for ToxcGang/OpenSteamToolPlugin.