Arn't they yoinking an OAuth token for replay in the Claw app?

If so, I don't think anybody who knows how auth works could feign complete innocence.