nemo.foo

I wanted to understand why Old School RuneScape has such a persistent bot problem. So I built a voice-controlled client.

Not to cheat. To learn. Voice control seemed like a way to explore what the plugin API actually exposes without crossing ethical lines. I’d build something that required a human in the loop, and in the process, I’d see exactly what an automation developer sees.

What I found: botting isn’t a detection problem. It’s a client control problem. And it won’t be solved until Jagex ships an official plugin API.

TL;DR: RuneLite isn’t bad, Jagex isn’t lazy, and “detect better” isn’t the answer. This is the cost of the community picking RuneLite over the official client.

Live stats: Tracking RuneLite adoption after the Java client shutdown

Demo: Voice-controlled OSRS in action

What I Built

I created a new ironman account, voicescaper, and set out to play the game by voice.

The tool has two pieces. A RuneLite plugin reads game state: where NPCs are, what’s in my inventory, which tiles are walkable. An external application listens for speech, transcribes it locally, and translates commands into mouse clicks. Everything runs on my machine.

Playing as voicescaper was humbling. I chopped trees, mined ore, talked to NPCs, attacked cows. Voice recognition is unforgiving. “Attack cow” sometimes became “a tank cow.” After an hour, I was exhausted from talking and went back to clicking.

The Moment It Clicked

The plugin has access to complete game state. The external application can click anywhere on screen. The only thing making this a voice control tool instead of a bot is that a human provides the intent.

Swap out voice recognition for a decision loop, and you have a bot. The structural pieces are identical. The hard part of botting, understanding what’s happening in the game, is already solved by the same infrastructure that makes RuneLite useful.

Why Detection Can’t Fix This

When people talk about botting, the instinct is “detect better” or “ban harder.” But detection has structural limits.

Jagex can only see what reaches their servers: clicks arriving at plausible speeds. They can’t see what’s running on your machine, what plugins are loaded, or whether a human decided to click or a script did. A bot with full game state access looks identical to a player.

The Automation Landscape

Network bots talk directly to Jagex’s servers. No client, just raw packets. Jagex could change the protocol, but breaking RuneLite (which reverse-engineers the same protocol) creates friction.

Memory bots read game state from RAM. The standard defense is kernel-level anti-cheat like Vanguard. But you can’t mandate invasive software for a third-party client you don’t control.

Auto-clickers are simple input macros. Clicking the same pixel every 1.8 seconds for five hours is statistically obvious, and actually detectable. But the moment automation has game state access, it varies timing and position to look human.

Client plugins are where I operated. The RuneLite API exposes complete game state. Anyone can fork the client, write unreviewed plugins, or bridge data to external programs. Jagex can’t see what plugins you’re running. Everything I built used public APIs. Same tools as tile markers and quest helpers.

What OSRS Can Learn from WoW

World of Warcraft has supported add-ons for over twenty years. Massive plugin ecosystem. Deeply customizable UI.

And yet WoW’s add-on system doesn’t meaningfully lower the barrier to automation. Not because Blizzard detects better, but because the API is intentionally constrained.

Like RuneLite, WoW add-ons can’t generate input. No fake clicks or keypresses. The difference is everything around that constraint. WoW add-ons run in a sandbox. They can display information and help you make decisions, but they can’t hand that information to external programs. There’s no bridge. If you want to build a WoW bot, you have to leave the add-on system entirely: memory reading, injection, OS-level input spoofing. Harder to build, easier to detect.

RuneLite is different. Plugins run in a full JVM with access to complete game state. A plugin can trivially act as an oracle, packaging up coordinates, NPC positions, and interface state for whatever external tool wants to consume it.

Imagine if RuneLite’s entity highlighter could show you where the fishing spot is, but couldn’t tell an external program its exact screen coordinates. That’s roughly what WoW enforces.

Jagex needs an official client with a plugin API designed like WoW’s. One that lets you build helpful tools without also enabling automation.

Why Jagex Is Stuck

They tried. In May 2018, Jagex told RuneLite to shut down. Not “remove these features.” Shut down entirely. The community erupted. Jagex backed down.

That moment forced a choice: client control or player retention. They chose openness. Botting became harder to fight as a direct result.

In June 2022, Jagex formalized the compromise with an approved client list. RuneLite and HDOS are permitted. But an approved list doesn’t give Jagex technical leverage. They still can’t see what plugins are running. They just narrowed the field.

Update (January 28, 2026): The legacy Java client had been deprecated for years. Jagex’s reasoning for retiring it: “the vast majority of users are botting.” When the switch flipped, tens of thousands of accounts vanished from the player count overnight. Jagex can act decisively on clients they control. RuneLite and HDOS remain untouched. I’m tracking RuneLite adoption to see if those bots migrate.

Update (April 2026): The data is in. Before the shutdown, the game averaged ~149K concurrent players. By March, ~115K. RuneLite’s share rose from 84.8% to 86-87%. The “Other” column shrank from ~22K to ~16K. Java client bots didn’t migrate to RuneLite. They vanished.

But the botting infrastructure is rebuilding. The Java client shutdown killed DreamBot, OSBot, TRiBot, and RuneMate overnight. TRiBot already shipped “Echo,” a RuneLite plugin. The tooling is moving to the one platform Jagex can’t touch. The next wave of bots won’t depend on a client Jagex can retire. They’ll live inside RuneLite, indistinguishable from legitimate plugins. Jagex bought time. They didn’t fix the architecture.

The Java client shutdown worked because Jagex controlled the client. Without that leverage, you’re left rearranging the furniture. Case in point: Last Man Standing. LMS has been overrun by bots for years. In April 2026, Jagex proposed gutting the reward shop. Their reasoning was honest: “it’s one of the most prolific battlegrounds between us and a seemingly endless stream of bots.” The community pushed back. The proposal punished everyone to stop the bots. Jagex scaled back to requiring a single win before accessing the shop. A speed bump, not a fix.

This is the pattern. 2018: shut down RuneLite, community erupts, back down. 2026: gut LMS rewards, community erupts, back down. The one time Jagex succeeded, they retired a client they owned. Every other attempt either punishes legitimate players or barely inconveniences bots. Usually both.

The Three Paths Forward

Ban third-party clients. Close the vulnerability, lose a huge chunk of players. RuneLite isn’t optional for most of the community anymore.

Keep the status quo. Third-party clients stay legal. Botting stays viable. Cat-and-mouse continues indefinitely.

Reclaim the client with a constrained plugin API. The only sustainable option. But it requires Jagex to control the runtime and define the extension boundaries. With client control, Jagex can ask “did this come from software we trust?” instead of “does this look human?” Bots are much worse at answering that question.

RS3 is getting an official plugin API in 2026. Old School started down the same path in July 2024, then paused it to prioritize HD rendering. HD is visible. A plugin API is infrastructure. Hard to put in a trailer. But infrastructure is how you solve this long-term.

There’s a world where plugins exist and botting becomes meaningfully harder. It just can’t be built on third-party clients.

The OSRS Botting Problem Is Architectural