Your IP is in the Administrator IP Whitelist or you in the Do not block these IPs field in the Configure WAF page. As per the documentation of Admin Tools, this causes all security checks (including the administrator secret key) to be ignored for this IP address. Essentially, you have told Admin Tools to not perform any security check AT ALL for these IP addresses. Since the administrator secret URL parameter is a security check, when Admin Tools sees that your IP is in the list of "safe" IP addresses, it doesn't perform the check. As a result, you can access your administrator login page with an invalid or no secret URL key.
Please read the documentation of the component very carefully, especially if the last time you read it was over 3 months ago.