Environment variable access combined with network send.
Critical
- Code
- suspicious.env_credential_access
- Location
- index.js:23
- Evidence
apiKey: process.env.NOTFAIR_API_KEY || (typeof cfg.apiKey === "string" ? cfg.apiKey : undefined),
Security audit
Security checks across malware telemetry and agentic risk
This appears to be a coherent NotFair/Google Ads integration, but it can access stored NotFair credentials and invoke high-impact Google Ads tools, so users should review approvals carefully.
Install this only if you trust NotFair with your connected Google Ads data. Treat any campaign, budget, bid, keyword, ad, or delete action as money-affecting: review the exact proposed change before approving it, and remove stored tokens/config entries when you no longer need the plugin.
62/62 vendors flagged this plugin as clean.
Detected: suspicious.env_credential_access, suspicious.exposed_secret_literal
apiKey: process.env.NOTFAIR_API_KEY || (typeof cfg.apiKey === "string" ? cfg.apiKey : undefined),
return { accessToken: [REDACTED], expiresAt: Date.now() + expiresIn * 1000 };