Can an access token with empty scope be used maliciously?

So I wish to use an Emacs plugin called grip-mode, which uses an application called grip under the hood that uses GitHub’s API to render markdown text. But unless an access token (which can have an empty scope) is provided, it hits GitHub’s hourly rate limits. So I wish to put an empty-scoped access token for grip-mode. Problem is, my Emacs configuration is stored in a public repository, and so, I want to make sure an access token with an empty scope can’t be used maliciously before I put it in my configuration. So, can an empty-scoped access token be used maliciously? Or is it harmless to use it?

Hey there @famiu :wave:

I think the real concern is whether or not the token would get picked up by our security scanning service. We have a service that scans public repositories for tokens and will revoke the token automatically. Essentially to avoid abuse, as you’re rightly concerned about.

So I suppose my question is, in order to use grip-mode, do you need to store your config in a public repository? Is there another option to authorize the plugin to perform the tasks you’re hoping to perform?