Why does Function.toString() reveal a hooked function?
Every JavaScript function can be stringified with Function.prototype.toString(). A genuine built-in returns a body of { [native code] }; a function you defined returns its actual source. That difference is a reliable way to tell a real API from a replacement.
Stealth scripts that override a getter — say, to hide navigator.webdriver — expose themselves the moment a detector stringifies it. And re-acquiring a pristine toString from a fresh iframe defeats attempts to also patch toString.
This is why JavaScript-level spoofing self-reveals, and why Clearcote governs identity in the C++ engine: the getters are native, so they stringify as native in every realm. See how detection works.