@stefansundin reported that several Gist API endpoints could be used to list a user’s secret Gists when using an OAuth access token that had been granted no authorization scopes. We addressed this issue by modifying these API endpoints to only include secret Gists if the token has the gist scope.