Yeah I'm listening for {"kinds":[24133]} and when I get one, I create a new 24133 event from my ephemeral keypair to the 'p' tag of the event with a connect command.  I do it again to the 'pubkey' of the event because I don't know what command was sent and which direction it is going.  I backdate the event by a few seconds. One of those will be the bunker and will generally popup to the user asking to allow the connect.  Some user will allow it and then I can send in a mock event that says it is me fucking with them and ask them to sign it.  Hopefully their client displays the event and sees that it is me fucking with them.  If not, well, I get an event signed by them saying that I fucked with them.  Basically I can script the whole thing and just point it at a popular relay and go to sleep, and then check on it in the morning. 

 If people implemented the "secret=" part of the NIP-46 standard, bunkers could simply drop requests that didn't include the connect secret, and none of this would be possible.  But among 3 clients @bu5hm4nn tested today, none of them use the secret parameter in the bunker:// url when they send in their connect string, which signalled to me that none of the bunkers are requiring it (well, except gossip. Gossip requires it.)