You realize that the oauth token is tied to the client app, right? Not only can GitHub see that this action was taken by/through a third party service, they can also see all actions taken by that service across all users. So there are much better ways to detect and correct the abuse.
All oauth tokens are authorized by users. So GitHub sees the app and sees the users who authorized the app. Users are responsible for all the bots that act in their names.
Otherwise it would be quite simple to write a malbot and then claim innocence because it was the bot doing it, not me.
I think the approach to automation is best when the authority and responsibility always ties back to an individual or group.
