[rozap]

You're right in principle, but I think in practice this is sort of a non issue. Most sites now employ (for better or worse) anti botting tools which have some sort of javascript challenge that will generate a unique token. Given that this tool is only capable of replacing the dynamic parts of the request graph with tokens found in the output from the previous steps, I don't see how it would get around these sorts of challenges. So effectively, if you're using methods to prevent "unauthorized" use of your APIs, I think this sort of tool will be defeated extremely easily. The reverse engineering/web scraping world has unfortunately evolved to be extremely adversarial, and this sort of tool is does not have the sneakiness required to get around even the simplest anti botting measures.

Until LLMs become smart enough to emulate a full JS stack, I think we're safe :)