I doubt it. It's the kind of thing the Repository API is created for. The communication with the Repository API is encrypted with the QS certifcate. So it's not exactly plain text for everybody. You need access to the QS certificates. And if you have that you basically 'own' that QS installation. Which is why you shouldn't leave those certificates lying around where anyone can get their hands on them.