Bots normally do not run in a real browser. Thus they may lack JavaScript. Since JS is required to fill in the "hidden" form item, it should be helpful it controlling spam. If the bot fills in the validation field item, it will need incredible amounts of luck to insert a value that is accepted in the server side validation.

referring to the above quote from the module page, would i be wrong to say that a bot can grep the page for the drupal.settings script block and extract the timestamp from there? a bot would not need javascript to do it and it would be trivial to bypass the protection of this module without any luck involved.

am i wrong to say this?