> ScriptShield_

Documentation

After creating a script in the dashboard you get a URL like https://your-domain/raw/<id>. That URL only returns the script body when the request comes from a Roblox executor.

Standard loadstring

loadstring(game:HttpGet("https://your-domain/raw/<id>"))()

Works in any executor that sets its own User-Agent (Synapse X, KRNL, Fluxus, Hydrogen, Sirius, ...)

With custom executor header (fallback)

local res = request({
  Url = "https://your-domain/raw/<id>",
  Method = "GET",
  Headers = { ["X-Executor"] = "MyExecutor" },
})
loadstring(res.Body)()

Use this if your executor's UA isn't auto-detected.

What's detected as an executor?

Requests whose User-Agent contains any of: Roblox, Synapse, KRNL, Script-Ware, Oxygen, Valyse, Electron, Calamari, Fluxus, Vega X, Hydrogen, Evo, Celery, Kiwi X, Nihon, Rise, Sirius, Scriptify, Comet, Trigon, Velocity, Cryptic, Nexus, HttpGet. Browsers (Mozilla/Chrome/Safari/etc.) and debug tools (curl, Postman, Insomnia) are always blocked.

Storage

Scripts are XOR + base64 encoded with a server-side key before being saved. The plain text never sits in the database.