If they wanted to. The only thing OCP really does is it reads the publicly available sitemap file that the site author has created, and crawls the site just like a search engine spider which has read the sitemap would, making normal GET requests for each of the URLs in the sitemap. (Basically the same as if you opened the sitemap.xml file in your browser and manually clicked every link.) Each GET request prompts the server to use whatever caching mechanism(s) it has in place, e.g. W3 Total Cache or WP-Super-Cache. OCP doesn't decide what mechanism to use, nor how it should be used.
It wouldn't really be possible to have verification and keep OCP in its current form, a stand-alone piece of software. Besides, if somebody wanted to use it maliciously to e.g. perform a DoS attack, there are much "better" tools that they could use--ones that don't care about sitemaps at all.
If people receive unwanted hits from OCP, they can block the IP address of the person(s) using the tool, or block the user-agent, "Optimus Cache Prime", itself.