diff --git a/sphere/screen/gameplay/CloudburstEngine/NoteSkin.lua b/sphere/screen/gameplay/CloudburstEngine/NoteSkin.lua
index a2f30efe8..ee200e62f 100644
--- a/sphere/screen/gameplay/CloudburstEngine/NoteSkin.lua
+++ b/sphere/screen/gameplay/CloudburstEngine/NoteSkin.lua
@@ -69,6 +69,23 @@ NoteSkin.loadImages = function(self)
 	end
 end
 
+
+local env = {
+	math = math
+}
+
+local safeload = function(code)
+	if code:byte(1) == 27 then
+		error("bytecode is not allowed")
+	end
+	local f, message = loadstring(code)
+	if not f then
+		error(message)
+	end
+	setfenv(f, env)
+	return f
+end
+
 NoteSkin.loadFunctions = function(self)
 	if not self.noteSkinData.functions then
 		return
@@ -77,9 +94,9 @@ NoteSkin.loadFunctions = function(self)
 	local functions0 = self.functions0
 	local functions1 = self.functions1
 	for _, fn in pairs(self.noteSkinData.functions) do
-		functions0[fn.name] = loadstring(fn.chunk0)()
+		functions0[fn.name] = safeload(fn.chunk0)()
 		if fn.chunk1 then
-			functions1[fn.name] = loadstring(fn.chunk1)()
+			functions1[fn.name] = safeload(fn.chunk1)()
 		end
 	end
 end