Private module

A private module is a ModuleScript which has been uploaded to the ROBLOX website and can be used by any game, but its source can only be viewed by the user who uploaded it.

Normally a ModuleScript can only be required by the user who uploaded it, but if the ModuleScript is named "MainModule", then any game can require it.

Can a private module's source be stolen?[edit]

Yes, it is possible to obtain the source of a private module. This is usually accomplished by requiring the module, getting a reference to the module's ModuleScript, parenting the ModuleScript to the DataModel, causing the game to save, and then opening the game in ROBLOX Studio to view the ModuleScript's source.

The most effective way to prevent this type of exploit is to place this line of code at the beginning of your ModuleScript:

script = nil


This will erase all references to the ModuleScript, preventing the exploiter from obtaining a reference to the ModuleScript. If your ModuleScript has children, you can do this:

local children = script:GetChildren()
script = Instance.new("ModuleScript")
for _, child in pairs(children) do
	child.Parent = script
end


This will replace the ModuleScript with a blank ModuleScript, which means even if an exploiter gets a reference to the ModuleScript and manages to save it, its source will be blank.

Caveats[edit]

  • By using a private module in your game, you are letting the module's author run arbitrary Lua code in your game. You cannot read the module's code to see what he is doing, so you are placing complete trust in him.
  • Private modules cannot be loaded from studio. This makes it difficult to test games which rely on private modules.