All privileged writes should have CSRF tokens submitted along with the request.
Because tools.wmflabs.org is shared, and tool on the site can easily use a javascript to forge a request (even if it is a post, SOP can't help you here) and act on the user's behalf.