The fix appears to be working fine, but there's still some insecure functions available. For example, I can cause the EXE to crash when using package.loadlib() in my codeToInject variable. Exploiting this function is actually quite difficult but not impossible I believe.

I can't think of any other examples, but you should take a second look just to be on the safe side.

This one should be fixed now. You can still access the global environment from scripts.load, but I did some work reducing the surface area of insecure functions in the global environment. Namely, you can no longer access lua's os or io modules.

If you need to load an asset in the game's file system, you can use the new DFHack.loadAsset(path) function. Paths are relative to the Hack 'n' Slash root directory.