[extempo]

Malicious bots don't care if there is an API. They can screen scrape easily.

[eli]

I'm sure malicious bots do try to mass message repository owners through Github. It's called spam and every platform over a certain size experiences it. I expect Github already has measures in place to block it.