Shadow block opcodes are not properly validated

[apple502j]

By modifying the JSON file, any block can be set as "shadow block". They do not appear anywhere in the workspace, but they still execute, allowing codes to be hidden. This can be exploited in a lot of ways.

Example: https://scratch.mit.edu/projects/388355119 - it does not show any blocks because they are shadow blocks. However, the project can still run.

My solution would be to have list of "allowed shadow opcodes" and blocks not listed automatically gets marked as non-shadow - any other ideas?

[AmazingMech2418]

This can be exploited in a lot of ways.

I'm not really sure what you mean by this. Honestly, it can be a useful feature for adding things like cheat codes, but in a way that someone can't find them as easily, but I don't see how it could be exploited.

[apple502j]

Ability to hide code is not a feature Scratch intends to have.

[AmazingMech2418]

Ability to hide code is not a feature Scratch intends to have.

Shadow blocks to keep people from being able to reuse certain pieces of code would fall under not being able to be remixed and stuff, but shadow blocks to hide cheat codes to improve gameplay is a valid reason to keep them.