Assuming config key transfer.credentialsInUrl is set to "warn", Git warns about "plaintext credentials" if the user includes a password in the remote URL. https://git-scm.com/docs/git-config#Documentation/git-config.txt-transfercredentialsInUrl . This is implemented in remote.c $ git clone https://tim:hunter2@xxxxxxxxxxx/example.git warning: URL 'https://tim:<redacted>@example.com/example.git' uses plaintext credentials It would be neat to warn similarly if the user includes a personal access token in the *user* field of the remote URL: git clone https://<pat>@github.com/... This is a popular practice according to StackOverflow https://stackoverflow.com/a/70320541/284795 (800k views). GitHub personal access tokens are easily recognised by their prefixes "ghp_" and "github_pat_" https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/about-authentication-to-github#githubs-token-formats #leftoverbits
