I’m not sure this is the case due to this.
Not for certain. There are certain measures a website can put into place to prevent this, like the MAC/IP cookie that OP mentioned. If someone else tried to use your cookie, they’d fail. They could spoof your MAC/IP address, but that’s significantly more difficult than just having someone copy/paste the ROBLOSECURITY code to you.
Edit: If it’s hashed as OP suggested, I don’t think they’d be able to find out your IP/MAC address. They could of course tell people to send them that information as well, but people would start to get suspicious when they’re being asked to open the command prompt.