they can indeed detect this, there calling server sided functions, by implementing “injecting” their own client side scripts or something.
You can block this from happening, by adding a block/autokick/ban on these functions or adding a keycheck to the functions, and checking serversided if they match.
here’s a list provided by @d0p3t with the most commonly abused functions.