gtm-setup

This repository is an automation helper for obtaining OAuth credentials and validating Google Tag Manager API access. Its capabilities and requested file access align with its stated purpose (installing googleapis, reading/writing OAuth credentials and tokens, and calling Google APIs). The main security considerations are supply-chain risk from programmatically running 'npm install' (which triggers package lifecycle scripts), and the local storage of sensitive tokens (gtm-token.json) with only advisory guidance to add it to .gitignore. There are no signs of network calls to attacker-controlled domains, hidden backdoors, obfuscated code, or credential forwarding to third parties. Overall this appears functionally appropriate for its purpose but carries normal operational risks (token leakage, install-time supply-chain exposure) that should be mitigated by developer practices (pinning dependencies, auditing installed packages, and automatically ignoring token files).