Could nosy or bad Facebook apps be detected without API access, possibly by reputation?

Highlighted
F-Secure

Could nosy or bad Facebook apps be detected without API access, possibly by reputation?

A fellow we follow on Twitter recently tweeted: "#facebook apps are scary. Educating users is not enough. Could AV detect nosy web apps without some fb api?" Wondering if it's a possibility. Thanks!