True... nothing is in the GUI that they could see that could help them in any way...
You said "A possible solution to this is to verify with the server before running the code to display.", how exactly would I go about doing that? Maybe make the command send a net message to the server, check if it's a valid id, and if it is, display the GUI? I guess making opening the GUI itself isn't malicious, but the net messages that add to the rank and stuff are. Now that I think about it, having the 'Hack Ban' message is kind of pointless... I just did it because it's easier for me to format I guess. Will make some changes.