Skip to content

Security and Safety

Toxc edited this page Jun 25, 2026 · 1 revision

Security and Safety

OpenLuaTools downloads and copies files, so safety checks are important.

Archive safety

OpenLuaTools extracts downloads into a temporary plugin directory before copying files into Steam or game folders.

The safety layer rejects:

  • Empty archive paths.
  • Absolute paths.
  • Windows drive-rooted paths.
  • . or .. path segments.
  • Duplicate slash path segments.
  • Unsafe path characters.
  • Files that escape the extraction directory.
  • Copy destinations that escape the allowed root.

Lua filename safety

For OpenSteamTool Lua scripts, OpenLuaTools expects app ID based filenames:

<appid>.lua

Unexpected Lua filenames are skipped.

Manifest filename safety

Manifest files must match a numeric manifest filename format:

<digits>_<digits>.manifest

Unexpected manifest names are skipped.

URL safety

External URLs must use http:// or https://.

URLs with unsafe characters are rejected before they are opened or downloaded.

Game folder safety

When applying helper/fix archives, OpenLuaTools validates that copied files remain inside the selected game install path.

Even with this protection, users should:

  • Back up modified files.
  • Use trusted sources only.
  • Avoid running unknown scripts.
  • Scan archives when appropriate.
  • Verify game files if something breaks.

API key safety

Never share:

  • API keys.
  • Steam account tokens.
  • Private logs with personal paths.
  • Screenshots showing keys or tokens.

When reporting bugs, redact sensitive values first.

Clone this wiki locally