This thread and this article will assist you. Basically, never trust the client and implement server-sided checks.
I assume you are using the Collection Service. As far as I am aware, if the cloned object has already been tagged then there is no reason to tag it again.
I found this post:
Which would imply that you should have no issues with exploiters.
Check out this article about the Client-Server Model.