UNLICENSED package published to a public-looking remote
Part of Dependencies & Hygiene, which counts for 10% of the overall score. When this check fires it deducts 4 points from that category, once per scan, no matter how many places it turns up.
What it detects
package.json declares "UNLICENSED" (all rights reserved, no reuse granted) while its own repository/homepage metadata names a public host. This is a coarse heuristic: a public UNLICENSED repo is a legitimate choice, not a bug on its own.
Why it matters
"UNLICENSED" is a deliberate, valid choice meaning all rights reserved and no reuse permitted, and plenty of legitimate projects stay public on a git host for visibility or portfolio reasons while keeping that stance. The combination is also exactly what an accidentally-public private repository looks like, so it is worth a human glance rather than an automatic assumption either way.
How to fix it
If the closed-source stance is intentional, no change is needed beyond optionally noting it in the README so visitors understand why there is no open license. If the repository was meant to stay private, make it private on the git host and rotate any secrets that were exposed while it was public.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo