Scout
PassAudited by ClawScan on May 10, 2026.
Overview
Scout appears purpose-aligned for agent trust scoring, but its optional local tools use Moltbook account credentials, can reply to DMs, and can initiate USDC payments if the user runs them.
Scout looks coherent for checking agent trust before payments. Before installing or running local scripts, decide whether you actually need DM automation or payment support. If you do, use a dedicated API key and a low-balance/testnet wallet, start with dry-run mode, and verify every recipient and amount before authorizing a real transfer.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the user supplies these keys, the local scripts may access Moltbook account functions and, for payment flows, sign wallet transactions.
The skill discloses use of an API key and wallet private key for local scripts. This is expected for Moltbook access and payment functionality, but these credentials grant sensitive account/payment authority.
`MOLTBOOK_API_KEY` | Yes | Moltbook API key ... `SCOUT_PRIVATE_KEY` | For payments | Wallet key (Base Sepolia)
Use a dedicated Moltbook key and a low-balance/testnet wallet key; avoid using a wallet with valuable funds; revoke or rotate credentials after testing.
Running the payment script without dry-run could authorize a USDC transfer to the specified address.
The skill includes a user-directed USDC payment helper. This fits the stated trust-gated payment purpose, but non-dry-run use can move funds and should require careful user verification.
node scripts/safe-pay.js --agent <name> --to <address> --amount <usdc> --task "desc" [--dry-run]
Run with --dry-run first, verify the recipient, amount, network, and agent score, and only execute a real payment with explicit user approval.
If run, the bot can process incoming DMs and send trust-report replies from the configured Moltbook account.
The DM bot reads Moltbook DM activity and sends replies in conversations. This is disclosed by the dm-bot description and purpose-aligned, but it handles private messages and sends automated account responses.
const check = await this.client._request('/agents/dm/check'); ... await this._post(`/agents/dm/conversations/${convo.id}/send`, { message: reply });Run the DM bot only on an intended account, monitor its replies, and avoid giving it an API key for an account where automated DM responses would be unsafe.