nemo.foo

I wanted to understand why Old School RuneScape has such a persistent bot problem. So I built a voice-controlled client.

Not to cheat. To learn. Voice control seemed like a way to explore what the plugin API actually exposes without crossing ethical lines. I’d build something that required a human in the loop, and in the process, I’d see exactly what an automation developer sees.

What I found: botting isn’t a detection problem. It’s a client control problem. And it won’t be solved until Jagex ships an official plugin API.

Video version: [VIDEO_LINK_HERE]

TL;DR: RuneLite isn’t bad, Jagex isn’t lazy, and “detect better” isn’t the answer. This is the cost of the community picking RuneLite over the official client.

Live stats: Tracking RuneLite adoption after the Java client shutdown

What I Built

I created a new ironman account, voicescaper, and set out to play the game by voice.

The tool has two pieces. A RuneLite plugin reads game state: where NPCs are, what’s in my inventory, which tiles are walkable. An external application listens for speech, transcribes it locally, and translates commands into mouse clicks. Everything runs on my machine. No cloud services, no data leaving my computer.

Playing as voicescaper was humbling. I chopped trees, mined ore, talked to NPCs, attacked cows. The kinds of things you do in the first hour of any account. It worked, mostly. But voice recognition is unforgiving. “Attack cow” sometimes became “a tank cow.” Pathfinding meant saying “move five tiles north” and hoping I’d counted right.

After an hour, I was exhausted from talking and went back to clicking.

The Moment It Clicked

But then I started thinking about what I’d actually built.

The plugin has access to complete game state. The external application can click anywhere on screen. The only thing making this a voice control tool instead of a bot is that a human provides the intent.

I didn’t build autonomous automation. But the architecture would trivially support it. Swap out voice recognition for a decision loop, and you have a bot. The structural pieces are identical.

This is the core insight: the plugin API that enables quest helpers and ground markers also exposes everything automation needs. The hard part of botting, understanding what’s happening in the game, is already solved by the same infrastructure that makes RuneLite useful.

Why This Matters

When people talk about botting, the instinct is “detect better” or “ban harder.” But detection has structural limits.

Jagex can only see what reaches their servers: clicks arriving at plausible speeds. They can’t see what’s running on your machine, what plugins are loaded, or whether a human decided to click or a script did. From their side, a bot with full game state access looks identical to a player.

That’s the problem. It’s not that Jagex isn’t trying. It’s that the information they’d need to distinguish automation from legitimate play doesn’t exist at the server level.

The Automation Landscape

There are several ways people automate OSRS. Understanding them helps clarify where Jagex has leverage and where they don’t.

Network bots talk directly to Jagex’s servers. No client, just raw packets. In theory, Jagex could change the protocol anytime. In practice, breaking RuneLite (which reverse-engineers the same protocol) creates friction.

Memory bots attach to the running client and read game state from RAM. The standard defense is kernel-level anti-cheat like Vanguard or EasyAntiCheat. But that’s invasive software, and you can’t mandate it for a third-party client you don’t control.

Auto-clickers are simple input macros. These are actually detectable. Clicking the same pixel every 1.8 seconds for five hours is statistically obvious. But the moment automation has access to game state, it can vary timing and position to look human.

Client plugins are where I operated, and where Jagex has the least leverage. The RuneLite API exposes complete game state. Anyone can fork the client, write unreviewed plugins, or bridge data to external programs. Jagex can’t see what plugins you’re running. They can’t verify your client is legitimate.

Everything I built used public APIs. I didn’t reverse-engineer anything. I used the same tools as tile markers and quest helpers.

What OSRS Can Learn from WoW

World of Warcraft has supported add-ons for over twenty years. Thousands of developers. Deeply customizable UI. A massive plugin ecosystem.

And yet, WoW’s add-on system doesn’t meaningfully lower the barrier to automation. Not because Blizzard detects better, but because the API is intentionally constrained.

Like RuneLite, WoW add-ons can’t generate input. No fake clicks or keypresses. The difference is everything around that constraint.

WoW add-ons run in a sandbox. They can display information and help you make decisions, but they can’t hand that information to external programs. There’s no bridge. If you want to build a WoW bot, you have to leave the add-on system entirely: memory reading, injection, OS-level input spoofing. Techniques that are harder to build and easier to detect.

RuneLite is different. Plugins run in a full JVM with access to complete game state. A plugin can trivially act as an oracle, packaging up coordinates, NPC positions, and interface state for whatever external tool wants to consume it. The plugin doesn’t click. But it makes clicking programmatically easy.

Imagine if RuneLite’s entity highlighter could show you where the fishing spot is, but couldn’t tell an external program its exact screen coordinates. That’s roughly what WoW enforces.

WoW has quest helpers too. Questie, RestedXP. But notice how they work: targeting icons, minimap markers, on-screen directions. Not direct entity outlines with pixel-perfect coordinates exposed to the API. Different levels of access. And critically, the data can’t be bridged out.

Jagex needs an official client with a plugin API designed like WoW’s. One that lets you build helpful tools without also enabling automation.

The Accessibility Angle

Somewhere along the way I realized what I’d built had legitimate uses beyond my experiment. OSRS requires thousands of clicks per hour. That’s fine if you have full use of your hands. It’s a barrier if you don’t.

Voice control isn’t a competitive advantage. It’s slower and less precise than a mouse. The human is still playing, still making decisions. The interface just changes how input is provided, not who provides it.

The uncomfortable part is that the same infrastructure supports both. An accessibility tool and a bot differ only in what drives decisions. Distinguishing between them technically is extremely difficult.

Why Jagex Is Stuck

Jagex isn’t lazy. They tried.

In May 2018, Jagex told RuneLite to shut down. Not “remove these features.” Shut down entirely. When Adam, the developer, asked what specifically violated their terms so he could fix it, Jagex wouldn’t say. The demand was: close by the end of the week.

The community erupted. RuneLite had already become essential. Jagex backed down.

That moment forced a choice: client control or player retention. They chose openness. Botting became harder to fight as a direct result.

In June 2022, Jagex formalized the compromise with an approved client list. Only RuneLite and HDOS are permitted. Everything else gets you banned.

But an approved list doesn’t give Jagex technical leverage. They still can’t see what plugins are running. They still can’t verify inputs came from legitimate play. They just narrowed the field of clients they’re not actively fighting.

Update (January 28, 2026): The legacy Java client had been deprecated for years. Jagex’s reasoning for finally retiring it: “the vast majority of users are botting.” When the switch flipped, tens of thousands of accounts vanished from the player count overnight. This proves Jagex can still act decisively—but notice what they could act on: a client they control. RuneLite and HDOS remain untouched. I’m tracking RuneLite adoption to see if those bots migrate.

The Roadmap

RS3 is getting an official plugin API in 2026. Jagex announced a dedicated team building it.

Old School started down the same path. In July 2024, they announced a plugin API in development, built in collaboration with established plugin developers.

Then they paused it to prioritize HD rendering and mobile improvements.

I get it. HD and mobile are visible features. A plugin API is infrastructure. Hard to put in a trailer.

And to be fair, finishing the new renderer lets them retire legacy code. That cleanup positions them to build the API properly.

But infrastructure is how you solve this long-term. The anti-bot leverage that comes from client control doesn’t exist until the API ships.

RS3 is getting this in 2026. Old School should too.

The Uncomfortable Reality

There are three paths forward.

Ban third-party clients. Close the vulnerability, lose a huge chunk of players. RuneLite isn’t optional for most of the community anymore.

Keep the status quo. Third-party clients stay legal. Botting stays viable. The cat-and-mouse continues indefinitely.

Reclaim the client with a constrained plugin API. This is the only sustainable option. But it requires Jagex to control the runtime and define the extension boundaries. Copying RuneLite’s features isn’t enough. The API itself needs different constraints.

With client control, Jagex can ask “did this come from software we trust?” instead of “does this look human?” That’s a different question. Bots are much worse at answering it.

There’s a world where plugins exist and botting becomes meaningfully harder. It just can’t be built on third-party clients.

Why I’m Writing This

Some people will read this and think I’m enabling botters. I’m not.

The dynamics I’m describing are already well understood by people who build bots. I’m explaining them to everyone else: players frustrated by gold farmers, community members who think Jagex isn’t trying hard enough.

You get a remarkable plugin ecosystem and major quality-of-life improvements. You also get an automation surface that can’t be fully closed. These aren’t separate issues. They’re the same architectural choice, viewed from different angles.

A Note on Implementation

I’m deliberately not providing technical specs or library names beyond what’s necessary to make the argument.

The goal is to explain why the botting problem is structural, not to hand out a reference implementation. Anyone determined to build automation doesn’t need my help.

The tool runs entirely locally. No cloud services, no data collection.

What I’d Like to See

Unpause the plugin API. HD is great. Mobile matters. But the API is how you get long-term leverage. It should be a priority.

Design it with WoW’s lessons in mind. Intentional limits. A sandbox that exposes information without exposing control. Protected functions that can’t be called programmatically.

Work with RuneLite. The RuneLite team built something remarkable. They understand what plugins need. Collaborate on what a healthy API looks like.

If anyone at Jagex wants to talk about client architecture or plugin tradeoffs, I’m available. I’m not interested in enabling gold farmers. I love this game and want it to be around for a long time.

Also, if you’re hiring for the bot-busting team, I’d love to help.

References

I set out to understand why OSRS has a botting problem. I ended up learning it’s architectural, not a detection problem. And it won’t change until Jagex controls the client.

The OSRS Botting Problem Is Architectural