A RuneLite external plugin that helps manually identify nearby accounts that may be repeatedly casting Low Level Alchemy or High Level Alchemy while using fire-rune staff equipment.
The plugin is informational only. It does not report players, click menu options, automate gameplay, or submit any automated actions. It highlights suspects and presents the evidence that caused the flag so the user can investigate manually.
The plugin tracks nearby players inside the configured radius and scores them with configurable evidence:
- Fire staff evidence, defaulting to the basic staff of fire.
- Repeated alchemy-like animation or spot-animation observations within a time window.
- A minimum Magic level gate for found hiscore profiles, plus a Magic-dominant hiscore bonus where Magic is raised and only a configurable number of other skills are above the configured other-skill threshold.
- A high-Magic bonus for accounts still alching at 99 Magic.
- A cadence bonus for repeated alchemy observations at a consistent game-tick interval.
- Score reductions for accounts with enough non-Magic total level or combined clue-scroll completions and collection-log items to look less like fresh alching accounts.
Repeated alchemy behavior is required before a player can be highlighted unless Cast threshold is set to 0. In zero-cast mode, nearby fire-staff players can receive hiscore lookups and become score-only suspects without recent cast observations. When the staff requirement is enabled, staff evidence is also required before a scored player can become a suspect.
RuneLite does not expose a semantic "other player cast High Alchemy" event. Detection is therefore inferred from observable player state.
- The scene overlay outlines high-confidence suspects in red and moderate-confidence suspects in yellow.
- The plugin side panel lists current suspects, confidence, score, casts, hiscore evidence, reductions, and time since last seen.
- When right-click inspect is enabled, the player menu includes an Inspect Alch Activity option that shows the latest manually examined player score in a separate side-panel section without changing detection, watchlist, override, reported, or mobile suppression state.
- The debug menu-score setting adds each right-clicked player's current detection score to the Report option.
- The side panel can be switched to compact mode for shorter suspect rows.
- Right-click menu entries for suspects are colored by confidence when menu coloring is enabled.
- When menu sorting is enabled, right-click player entries are ordered: high-confidence suspects first, moderate-confidence suspects second, players reported by another account third, then everything else in its normal order. Players reported by the current account remain in that unsorted final tier.
- When you click RuneLite's normal Report option, the plugin suppresses that player for the current account's RuneLite session. If reported-player persistence is enabled, the player and the reporting account's stable RuneScape account UID are also saved locally across restarts.
- Players reported by the current account are outlined and menu-colored
#054B24by default. Players reported by another local account, or loaded from unattributed legacy history, use the existing light-green reported-player color until the current account also reports them. - The three shared player-list files are checked for changes every two seconds so concurrent RuneLite clients receive report, watchlist, and override updates without restarting.
- The side panel can import, export, and clear local reported-player history.
- The side panel includes a visual watchlist. Watched players can be outlined in blue and shown in the panel when seen, but watchlist entries do not change detection score or confidence. Red or yellow confidence outlines take precedence over the blue watchlist outline.
- The watchlist can remove entries already present in reported-player history, or entries whose normal OSRS hiscore lookup returns not found. The hiscore cleanup is a heuristic and is not proof of a ban, because renamed or missing-name accounts can also fail name-based lookup.
- The side panel includes an Override list. Override-listed players are suppressed from suspect highlighting until removed from the list.
- The side panel includes one-shot Conservative, Balanced, and Aggressive preset buttons. Presets write selected detection/scoring settings once; they do not create managed profiles.
- Mobile-client players can be suppressed after their mobile icon is observed in the right-click menu.
The plugin never submits reports automatically.
- Detection radius: 15 tiles
- Observation window: 60 seconds
- Cast threshold: 10 observations. Set to
0to allow fire-staff hiscore lookups and score-only detection without requiring recent casts. - Moderate confidence threshold: 90
- High confidence margin: +30, for an effective high confidence threshold of 120
- Require fire staff: enabled
- Broad fire-rune staff matching: disabled
- Ignore mobile players: enabled
- Hiscore lookup retry cooldown: 3 minutes
- Alchemy animation IDs:
713 - Alchemy spot-animation IDs:
112,113 - Scene overlay: enabled
- Menu coloring: enabled
- Menu sorting by confidence: disabled
- Right-click inspect players: disabled
- Persistent reported-player history: enabled
- Reported-player highlighting: enabled
- Other-account/legacy reported-player highlight color: RGB
144,238,144 - Current-account reported-player highlight color:
#054B24(RGB5,75,36) - Compact panel mode: disabled
- Hiscore scoring: enabled
- Minimum Magic threshold: Magic level 53. Set to 21 to include Low Alchemy capable accounts.
- Other-skill threshold: level 50
- Allowed other skills above threshold: 1
- High-Magic scoring: enabled at Magic level 99
- High-Magic score: +100
- Non-Magic total reduction: enabled
- Non-Magic total reduction threshold: 150
- Non-Magic total reduction penalty: -150
- Clue/collection-log reduction threshold: at least 1 combined entry
- Clue/collection-log reduction penalty: -100
Built-in score values:
- Basic staff evidence: +30
- Repeated alchemy behavior: +50
- Magic-dominant hiscore profile: +30
- Consistent cadence: +10
The animation and spot-animation ID lists are configurable. The defaults are seeded for Low/High Alchemy-style observations and should be validated in a RuneLite developer client.
Reported players are saved locally at:
~/.runelite/detect-auto-alchers/reported-players.csv
~/.runelite/detect-auto-alchers/watchlist.csv
~/.runelite/detect-auto-alchers/override-list.csv
The reported-player CSV stores normalized_name, display_name, date_reported, and reporter_uids. reporter_uids is a semicolon-separated set so several local accounts can retain attribution for the same reported player. The watchlist and Override list CSVs store their existing name/date columns plus modified_by_uid, identifying the account that most recently added or updated the extant row. This is provenance metadata, not an audit log; removed rows leave no deletion record.
Older three-column CSVs remain supported. Their rows have no account attribution and therefore use the other-account/legacy reported color until the current account reports the same player. Successful writes and exports use the new four-column schema.
Reported players and Override list players are suppressed from future suspect highlighting. Watchlist players are visual only. Disabling Persist reported players stops shared reported history from being written or applied, but reports made by that account remain suppressed and use its current-account color until that RuneLite process exits. Reports made while persistence is disabled are not written retroactively if the setting is enabled later.
The UID columns contain RuneLite's stable per-RuneScape-account hash encoded as an unsigned decimal number. They are not usernames or login credentials, but they are persistent pseudonymous identifiers. Keep the CSVs and reported-history exports private unless you intentionally want to share that metadata.
Preset buttons apply these intent-level profiles:
- Conservative: current default detection/scoring settings, with stricter cast and score thresholds, narrow staff matching, and stronger played-account reductions.
- Balanced: middle-ground detection/scoring settings.
- Aggressive: lower cast and score thresholds, broad fire-rune staff matching, Magic threshold 21, and lighter played-account reductions.
This plugin is not distributed through RuneLite Plugin Hub. The supported end-user artifact is the plain sideload jar named detect-auto-alchers.jar.
- Download
detect-auto-alchers.jarfrom the latest GitHub Release. - Close RuneLite.
- Create RuneLite's sideload folder if it does not exist.
- Copy
detect-auto-alchers.jarinto that sideload folder. - Start RuneLite through a developer-mode client launch, not through the Jagex Launcher.
- Open RuneLite's plugin panel, search for
Detect Auto Alchers, and enable it.
The sideload folder is:
macOS/Linux: ~/.runelite/sideloaded-plugins/
Windows: %USERPROFILE%\.runelite\sideloaded-plugins\
macOS/Linux install example:
mkdir -p ~/.runelite/sideloaded-plugins
cp detect-auto-alchers.jar ~/.runelite/sideloaded-plugins/Windows PowerShell install example:
New-Item -ItemType Directory -Force "$env:USERPROFILE\.runelite\sideloaded-plugins"
Copy-Item .\detect-auto-alchers.jar "$env:USERPROFILE\.runelite\sideloaded-plugins\"Simple developer-mode launch examples, if that executable path starts the client without RuneLite launcher metadata:
# macOS, if RuneLite is installed in /Applications
/Applications/RuneLite.app/Contents/MacOS/RuneLite --developer-mode
# Linux, if RuneLite is on PATH
runelite --developer-modeREM Windows, adjust the executable path if RuneLite is installed elsewhere
"%LOCALAPPDATA%\RuneLite\RuneLite.exe" --developer-modeCheck ~/.runelite/logs/client.log after launch. If it reports a concrete launcher version instead of launcher version unknown, the sideloaded plugin path will not be active; use the direct Java/helper workflow below.
To update the plugin, close RuneLite, replace the old jar in sideloaded-plugins with the new detect-auto-alchers.jar, and start RuneLite through the developer-mode launch path again.
Sideloaded plugins require RuneLite developer mode. RuneLite's current client code only enables developer mode when --developer-mode is present and the client was not started with RuneLite launcher metadata. Its plugin manager also returns before loading ~/.runelite/sideloaded-plugins/ unless developer mode is active. That is why the Jagex Launcher is useful for authentication capture, but not for the final sideloaded-plugin client.
We verified the launch split this way:
launcher.logshows the Jagex Launcher and RuneLite launcher configuration as separate client arguments and JVM arguments.client.logshows whether RuneLite started with a launcher version or withlauncher version unknown.- Direct client launches with
--developer-modeand no launcher metadata load jars fromsideloaded-plugins; Jagex Launcher-backed launches do not.
The Jagex Launcher still matters for Jagex accounts. RuneLite's Jagex-account development guide documents --insecure-write-credentials, which writes Jagex Launcher credentials to ~/.runelite/credentials.properties. That file permits passwordless login. Keep it private, keep it out of git, and treat any copied credential file as a password.
For credential capture, configure the RuneLite launcher with only this client argument:
--insecure-write-credentials
On macOS, the RuneLite launcher configuration window can be opened with:
/Applications/RuneLite.app/Contents/MacOS/RuneLite --configureDo not put -ea in the client arguments. -ea is a JVM assertion flag, not a RuneLite client flag, and assertion-enabled credential-capture launches are not needed. Current developer-mode client launches may still check for assertions, so handle that tradeoff in your local helper script instead of in the Jagex Launcher credential-capture configuration.
For multiple Jagex-account characters, capture each character once:
- Open the Jagex Launcher.
- Select one in-game character.
- Launch RuneLite from the Jagex Launcher with
--insecure-write-credentialsconfigured. - Let RuneLite reach the login screen, lobby, or game, then close RuneLite.
- Save the captured
~/.runelite/credentials.propertiesinto a per-character credential file. - Repeat for each additional character.
- Remove
--insecure-write-credentialsfrom the RuneLite launcher configuration after enrollment.
The local macOS workflow for this repo uses shell functions in ~/.zsh/runelite-dev.zsh:
source ~/.zsh/runelite-dev.zsh
# Save the most recently captured Jagex Launcher credential.
rl-save-current
# List saved credentials by character display name only.
rl-list-credentials
# Launch a saved character through the direct developer-mode client path.
rl-fp
rl-wnaf
rl-apThose functions are intentionally outside the repository because they contain local account/profile mappings. The important pieces of the helper are:
rl-save-currentreads the global~/.runelite/credentials.properties, verifies the expectedJX_*fields, and atomically saves it under~/.runelite/credentials/<JX_CHARACTER_ID>.properties.~/.runelite/credentials/is mode0700; credential files andcredentials.propertiesare mode0600.rl-list-credentialsprints character display names and permission status only. It does not print character IDs, tokens, or file contents.rl-dev "<display name>" "<RuneLite profile>"finds the matching saved credential byJX_DISPLAY_NAME, rejects missing or duplicate matches, and passes a relative credential path as a JVM property:-Drunelite.credentials.path=credentials/<JX_CHARACTER_ID>.properties.- The
rl-*wrappers callrl-devwith the correct existing RuneLite settings profile.--profileselects RuneLite configuration, not a Jagex character. - The helper selects the newest complete RuneLite runtime triplet from
~/.runelite/repository2instead of hardcoding one RuneLite version.
The resulting launch shape is:
java [JVM options and RuneLite classpath] \
-Drunelite.credentials.path=credentials/<JX_CHARACTER_ID>.properties \
net.runelite.client.RuneLite \
--developer-mode \
--profile="<existing RuneLite settings profile>"
--sessionfile is not used for this workflow. It is RuneLite session/profile-sync state, not the per-character Jagex authentication selector. Character selection comes from the credential file selected with runelite.credentials.path; settings selection comes from --profile.
If RuneLite updates, launch RuneLite normally once from the Jagex Launcher or the RuneLite launcher so ~/.runelite/repository2 receives the new client jars, then use the rl-* helpers again. If a saved character stops authenticating, repeat the Jagex Launcher capture for that character and run rl-save-current again.
Install JDK 11 for RuneLite plugin development. This project compiles Java 11-compatible bytecode via Gradle's options.release.set(11) setting.
Gradle 8.10 can currently run on JDK 11, but Gradle 9 will require launching Gradle with JDK 17+. If the Gradle wrapper is upgraded later, keep the project compiling with Java 11 compatibility.
Then run:
./gradlew test
./gradlew runThe run task starts RuneLite in developer mode with this external plugin loaded.
To build the end-user sideload jar locally:
./gradlew clean test sideloadJarThe stable sideload artifact is written to:
build/sideloaded-plugins/detect-auto-alchers.jar
Do not distribute the shadowJar output to end users. It is a development fat jar for launcher/debug flows, not the RuneLite sideload artifact.


