Is it possible to create a malicious game?

I am creating a game where users can more or less create their own gamemodes/levels on top of it. I let them add props/levels/ECT but I also let the users do some programming to get things working at a more advanced level if they want to.

I am wondering if it is possible for users to create malicious code. I know you guys do not know my project so it would be easier just to assume that they are making a new game from scratch. If someone downloads that game is there a possibility that someone can put malicious “stuff” in that game?

I only ask because if it is possible I will have to add more security to the users being able to program their gamemodes/levels. If there is a possibility of this, do anyone know of a way to protect against something like that or would it be better to just remove the possibility completely?

Absolutely yes - as a simple example you can write/read to/from from the machine on which the engine is installed using just the filesystem wrappers. If a malicious person also has access to the open Unreal source like we all do it becomes even easier to find exploitable code paths for what you do expose, as innocuous as it may seem. Unfortunately this is not easy to prevent, but hopefully some people smarter than me will have some ideas for you.

If you’re allowing users to add scripting to their game modes and levels, then their ability to create malicious scripts is as limited as you make it.

For example, if you’re allowing players to use Lua and expose all of the built-in libraries then they can easily create malicious scripts. However, if you don’t enable the OS module (or write your own, limited version of it) and isolate their access to the file system (there are libraries that will do this for you but their names escape me right now) then creating malicious scripts becomes much more difficult.

Thank you for the insight and idea.