HACS uses the GitHub API to gather information about all available and downloaded repositories. This API is rate limited to 60 requests every hour for unauthenticated requests, which is not enough. So HACS needs to make authenticated requests to that API.
A OAuth token with no scopes which grants read-only access to public information (including user profile info, repository info, and gists), will be used.
For more information about what HACS updates/refreshes when have a look at Data sources