Mastodon Scout
PassAudited by ClawScan on May 1, 2026.
Overview
Mastodon Scout appears to be a transparent read-only Mastodon viewer; the main thing to watch is that it requires a Mastodon OAuth token.
Before installing, create a separate Mastodon token with only read permissions, confirm the instance URL matches the account that issued the token, and remember that raw JSON or timeline output may include personal account and timeline details.
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent can read Mastodon data available to the provided token, such as the home timeline, mentions, and the authenticated user's posts.
The skill uses a Mastodon OAuth bearer token to authenticate API requests. This is purpose-aligned for reading authenticated timelines and mentions, but it is still account credential access.
token = os.environ.get('MASTODON_TOKEN', '') ... 'Authorization': f'Bearer {token}'Use a dedicated Mastodon token with only the `read` scope, set `MASTODON_INSTANCE` or `--instance` to the correct trusted instance, and revoke the token if you stop using the skill.