PyPI upload token
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 25 points from that category, once per scan, no matter how many places it turns up.
What it detects
A PyPI API token (pypi-...) was found. It can upload distributions to your PyPI project, a direct supply-chain risk.
Why it matters
A PyPI API token can upload distributions to your PyPI project, which is a direct supply-chain attack on everyone who installs the package. A leaked token is scanned for and used quickly. Project-scoped tokens still allow publishing to that project.
How to fix it
Move the token into a CI secret and use it only at publish time (for example via trusted publishing / OIDC where possible). Read it at runtime. Delete the exposed token in your PyPI account settings.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo