google-ads

[Skill Scanner] Backtick command substitution detected All findings: [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] This skill is coherent with its stated purpose: it documents a managed gateway (Maton) that proxies Google Ads API calls and handles OAuth. There is no code-level evidence of obfuscation, backdoors, or programmatic data exfiltration in the provided documentation. The primary security concern is architectural: all API keys, OAuth tokens and query data are routed through a third-party (maton.ai) rather than sent directly to Google. That design is acceptable for a managed gateway but requires the user/organization to trust Maton with sensitive data. If you cannot trust Maton or need to keep credentials and raw ad data within your own environment, do not use this managed gateway. Otherwise the document appears benign but with a moderate supply-chain/trust risk due to third-party mediation of credentials and data. LLM verification: The provided code fragment is documentation for a managed Google Ads gateway that centralizes OAuth and API access through Maton. There is no direct evidence of malicious code or obfuscation in the fragment itself. The primary risk is architectural/trust-based: supplying MATON_API_KEY and allowing Maton to manage OAuth connections grants the service broad access to Google Ads accounts and data. Session tokens in URLs are a minor hygiene concern. Recommend treating Maton as a high-trust party — v