Google Maps API key is enabled without proper referer restrictions is found in your repo. It can be embeded to anyone's website and if the billing account is active, it will incur charges on your account. If Google Maps is not used in your project, then all the following APIs should be disabled for your key otherwise proper access control should be enforced to prevent its abuse by the attacker.
Visit this link to verify that its not protected with referrer restrictions.
However with the proper restrictions, it should return a Forbidden error.
Staticmap -> $2 per 1000 requests
Attacker is able to abuse your API key. If billing is enabled in your profile, attackers can use your key while your account gets charged.