diff --git a/entrypoint.sh b/entrypoint.sh
index 6445434c..26ad5ea2 100755
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -32,6 +32,7 @@ export SCORECARD_RESULTS_FORMAT="$INPUT_RESULTS_FORMAT"
 export SCORECARD_PUBLISH_RESULTS="$INPUT_PUBLISH_RESULTS"
 # https://docs.github.com/en/actions/learn-github-actions/environment-variables
 export SCORECARD_PRIVATE_REPOSITORY="$(jq '.repository.private' $GITHUB_EVENT_PATH)"
+export SCORECARD_IS_FORK="$(jq '.repository.fork' $GITHUB_EVENT_PATH)"
 export SCORECARD_BIN="/scorecard"
 export ENABLED_CHECKS=
 
@@ -50,11 +51,25 @@ fi
 echo "Event file: $GITHUB_EVENT_PATH"
 echo "Event name: $GITHUB_EVENT_NAME"
 echo "Ref: $GITHUB_REF"
+echo "Fork repository: $SCORECARD_IS_FORK"
 echo "Private repository: $SCORECARD_PRIVATE_REPOSITORY"
 echo "Publication enabled: $SCORECARD_PUBLISH_RESULTS"
 echo "Format: $SCORECARD_RESULTS_FORMAT"
 echo "Policy file: $SCORECARD_POLICY_FILE"
 
+if [[ -z "$GITHUB_AUTH_TOKEN" ]]; then
+    echo "The 'repo_token' variable is empty."
+
+    if [[ "$SCORECARD_IS_FORK" == "true" ]]; then
+        echo "We have detected you are running on a fork."
+    fi
+
+    echo "Please follow the instructions at https://github.com/ossf/scorecard-action#authentication to create the read-only PAT token."
+    exit 1
+fi
+
+
+
 # Note: this will fail if we push to a branch on the same repo, so it will show as failing
 # on forked repos.
 if [[ "$GITHUB_EVENT_NAME" != "pull_request"* ]] && ! [[ "$GITHUB_REF" =~ ^refs/heads/(main|master)$ ]]; then