Describe the bug
Scorecard can receive as input the name of the package from npm, pypi and rubygems ecosystems as per the documentation. Reading the documentation, it was not clear to me that I needed to provide the package name and providing a package URL does not throw an error but runs the evaluation with a weird behavior.

Reproduction steps
Steps to reproduce the behavior:

1. Run Scorecard v4.10.2 with --npm=https://github.com/airbnb/lottie-web
2. See output results for repo: name: github.com/perrmadiafrrian/react-lottie-light

Expected behavior
I expected Scorecard would warn me I made a mistake in the --npm flag input and not run the evaluation for an unexpected repository.

Additional context
None.