I doubt that you care that much since the data isn't sensitive but just a heads up.
It's security-by-obscurity, maybe (as all public "secret token" URLs are) but it's better than what you're implying.
EDIT: You are right in theory though.
This is strictly as a learning exercise, no malicious intent on my part.
My first guess for the CSV was SITE/counter.csv