What does 'flagged for review' mean?

Flagged for review is an orange awareness level, never an accusation. It means one of three things: a script can both reach the network and run external code (the shape used by runtime downloaders), or its extracted code matched one of our five static patterns, or its code is obfuscated and could not be inspected. Many legitimate mods never look like this, so it's a prompt to verify the file is the official release from the creator's page before trusting it. Disabling is optional and fully reversible.

Do you ever call a mod malware?

Only at the red 'known threat' level, and only when a file's exact SHA-256 matches a documented, verified sample with a cited source. Even then, the listing is scoped to that one file's hash, never to a creator, because malware routinely hijacks legitimate creator accounts. Every other finding uses neutral language like 'flagged for review.' You can dispute any listing.

How do I dispute a flag?

Email sims4modfixer@gmail.com with the file name, the file's SHA-256 hash if you know it, the official source URL, which flag you're disputing, and why you believe it's a false flag. Listings are scoped to a file's hash, never to a creator, and nothing is ever deleted, so a quarantined file can always be restored with one click while we review.

← Back to Sims 4 Mod Fixer

How We Flag Unsafe Mods

By the Sims 4 Mod Fixer team · Updated June 2026

Sims 4 Mod Fixer runs a set of static, pre-launch safety checks automatically during a normal scan — fully offline, no account, quarantine-only (nothing is ever deleted). Here is exactly what each flag means, and how to dispute one.

Sims 4 Mod Fixer is the only Sims 4 mod tool with a published severity rubric and a documented creator dispute path — that transparency is the point.

The three flag levels

Every safety finding falls into one of three levels. The first two are about awareness and review — they are never an accusation. Only the third level uses words like “threat,” and only when the evidence is a documented, verified sample.

Level	What it means	What you should do
Capability note (info)	A script uses a capability — such as network access — that many legitimate mods also use (built-in update checkers are a common example). No action needed — this is here for awareness.	Nothing. Informational only.
Flagged for review (orange)	Either the script can both reach the network and run external code — the shape used by runtime downloaders — or its extracted code matched a suspicious pattern, or its code is obfuscated and could not be inspected. Many legitimate mods never look like this.	Verify this is the official release from the creator's page before trusting it. Disabling is optional and fully reversible.
Known threat (red)	The file's exact SHA-256 matches a documented, verified malware sample, or a real executable file (.exe, .bat, .dll and 9 other executable types) is sitting loose in your Mods folder or hidden inside a script mod's archive — Sims 4 mods never need executable files.	Treat as unsafe. You can still restore it with one click if you believe it is a mistake — see Dispute a listing.

We never call a mod "malware" unless its exact file matches a documented, verified sample with a cited source — and even then, the listing is scoped to that file's hash, never to a creator, and you can dispute it.

What "flagged for review" actually checks

The orange “flagged for review” level comes from three honest, static layers. Each one reads what a mod's extracted code looks like before the game runs — none of it watches the mod once it is running.

Capability detection

We look at which capabilities a script imports. A single network capability on its own (the kind an update checker uses) is only a capability note (info). We raise it to flagged for review only when a script can both reach the network and run external code — the “downloader shape” that legitimate mods rarely combine. The finding names the evidence (for example, the module it imports) so you can check it yourself.

Five hand-written bundled rules over extracted Python strings

We run five hand-written bundled rules over the text strings extracted from a mod's compiled Python. These are five specific patterns, not a signature feed:

discord_webhook_exfil — Discord/webhook exfiltration URLs.
raw_ip_literal — raw IP-address literals.
base64_exec_chain — base64 decode feeding exec/eval (staged-payload shape).
eval_on_remote — eval/exec on remotely-fetched content.
subprocess_variable_args — subprocess with shell or dynamic args (command construction).

A hit means the extracted code contains a pattern common to runtime downloaders — review the mod before trusting it. Plenty of safe mods never look like this, so a hit is a prompt to verify, not a verdict.

Obfuscation as a signal

If a mod's code is packed or obfuscated so its strings can't be read, we flag it as obfuscated — could not be inspected. That phrase means exactly what it says: we could not read the code, not that the code is malicious. It is surfaced so you can decide for yourself whether to trust a mod you can't see inside.

What our detection does — and doesn't do

We would rather under-promise than overstate what these checks can catch. Here is the honest scope:

It is static and pre-launch. It reads what a mod's code can do; it does not watch what a mod does while the game is running. There is no sandbox and no runtime monitoring.
It scans extracted Python strings, not the package binary, and it is not a full antivirus engine. It looks at the text inside a mod's compiled script, not at every byte of a .package file.
The known-bad-hash check is seeded with one verified real sample, not a signature feed of thousands. It catches that exact file by its SHA-256, and any others we add and ship with future releases.
Loose-executable detection is extension-based. A renamed executable may slip past the extension check — the capability and pattern checks above are the compensating layers that look at what the code actually does.
There is an allowlist mechanism for known-legitimate files. It can suppress capability findings for releases we verify as official (by their SHA-256), so confirmed-good mods don't get falsely flagged. It ships empty and grows as releases are verified — the mechanism itself is built in and tested.
Everything runs offline, bundled inside the app, and updates with each app release. There is no remote service and no between-release update feed — what you have installed is what runs.

Dispute a listing

Listings are scoped to a file's SHA-256 hash, never to a creator. Sims 4 malware routinely hijacks legitimate creator accounts, so a flag is never an accusation against a person. If you believe a file was flagged in error, email us the details below and we'll review it.

Found a file you believe was flagged in error?

Dispute a flag

Our safety promise

Every safety feature follows the same doctrine the rest of the app does:

Nothing is ever deleted. Every action is quarantine-only — files are moved aside, never destroyed.
Every flag is reviewable. You see the evidence behind each finding and decide for yourself.
Disabling is optional and fully reversible. Any quarantined file can be restored to its exact original spot with one click.
It all runs offline. No account, no upload, no remote service — the checks happen on your own machine.