While this is more of a long term thing, before any support is released for mods, some documentation should be written on what the sandbox is like beforehand so that penetration testing can have a bash at Clockwork Empires before modding support (and potentially malicious mods) are added. You really don't want to end up in the situation Tales of Maj Eyal is in now.
It's happened in other games too, Garry's mod comes to mind. People put Malware in mods for games that allow scripting. Basically make sure the scripts can't write to anything outside the actual game.
You can use a Tales of Maj'Eyal mod to start a shell script. Details here: https://www.pentestpartners.com/blog/sandbox-vuln-in-tales-of-majeyal/ Essentially the problem is that, when someone runs a game, they don't expect modders to be able to run arbitrary shell scripts. Even though there is no privilege escalation here, it could still do damage and be used for something like ransomware.
