Hi Paul,
Matteo I think Dan is correct though in that malicious code could be uploaded via a Scorm message and stored ready for a teacher or administrator to view.
TNX for recalling me the scope of your first post: a value of the CMI data model via SCORM call vs a SCORM package, I was discussing about a SCORM Package .
I think I will make enquiries here about what our clients Moodle set up is capable of for checking content and data sent by content
AFAIK you need a Web Application Firewall (WAF) since those "SCORM messages" are actually plain HTTP POSTs in Moodle (and in most LMSs): beware that configuring a WAF could be tricky due to false positives behind the corner.
HTH,
Matteo