Unintended Client Manipulation via Map Entities in Source Engine

[vedesh1337]

Introduction

There is an old and rarely discussed feature in the Source Engine. It was known only to a small circle of experienced mappers and has rarely been documented.

Certain map entities can send commands directly to the player client, modifying behavior without any confirmation. This functionality still exists in modern Source builds and can be triggered by maps in various ways.

Mechanism

The core of this issue involves two entities:

point_servercommand — executes server-side commands that may affect the client. point_clientcommand — executes commands directly in the player’s console.

Both entities have existed since early Source versions and remain functional today. Commands are executed silently, without warnings, and without the player’s consent. Players cannot distinguish between their own input and commands triggered by the map.

The following sections illustrate several observed client-side effects caused by these entities.

Additional actions for movement keys: In this example, I added an extra action to the walk/move forward key (W). When I press W, the client performs an additional, unexpected action that was not configured by me.

From the player’s perspective, it feels like the key is doing more than it should — for instance, triggering a secondary command or changing movement behavior. The effect is not game-breaking but demonstrates that the map can silently modify client input.

Buy menu interference: In this scenario, I altered the client behavior for the buy menu key. When the player presses the buy key, instead of opening the menu normally:

• The menu might fail to open.
• The game may automatically purchase a weapon.
• The currently held weapon could be dropped unexpectedly.

This effectively blocks the normal functionality of the buy menu. From the player’s perspective, pressing the buy key produces unexpected actions rather than the intended behavior.

Valve server after workshop map:

Scoreboard (TAB) manipulation: Here, I changed the behavior tied to the TAB key. Pressing TAB no longer simply opens the scoreboard. Instead, it can:

• Disconnect the player from the current server.
• Force the client to return to the main menu.

This is one of the more disruptive effects. A player might think they accidentally disconnected, while in reality the map triggered the action.

Automatic server connection:

In this example, pressing a movement key or another assigned key triggers an automatic connection to a different server.

From the player’s perspective:

• No prompt or confirmation appears.
• The client immediately connects to the new server.
• Any previous changes or actions may be reset, and the player loses control for a moment.

This effect is particularly concerning because it allows the map to control which server the player connects to, without the player initiating it.

Additionally, the use of such addons has turned parts of the Workshop into advertising space for fake or low-effort maps.

• Popular or high-quality maps are often buried beneath these manipulative addons.
• Some creators artificially boost likes on their own addons, while others downvote legitimate maps, distorting the ranking system.

These behaviors impact the visibility of good maps and mislead players about the quality and popularity of Workshop content.

Possible Mitigations

• Limit or block client-side commands that maps can execute.
• Review the relevance of legacy entities (point_clientcommand, point_servercommand) in modern Source 2 builds

Conclusion

Maps can silently modify client behavior, producing unexpected effects and interfering with gameplay. Even if some cases appear harmless, the consequences can be severe — from minor disruption to full loss of control over the client.