Sorry for the vague answer, but without more details I can't be more specific. In general there are certain patterns and code techniques that are commonly used by malware to overflow buffers in browsers, thus giving the attacker control of the system. The Javascript itself is just used as a conduit to the browser. Often, Shellcode bytes are encoded into javascript for delivery to an unsuspecting user's browser. If you have encoded data being delivered through Javascript, it may appear as suspicious to Google's heuristics engine.
It is also possible that you are using similar techniques to poisonous scripts (sometimes used for Cross-site scripting (XSS) and Cross-site request forgery (CSRF)) to accomplish some of your work, and this is a good way to get flagged by Google.
Another possibility is that your website code is fine, but it has a security hole that causes Google concern because a malicious user can exploit your site. To determine this I recommend using a web scanner such as Nikto, Burp Suite (my personal favorite), Acunetix, etc. to try and find security holes.
You can also find a lot of great info at OWASP
I hope this helps, as having your site flagged by Google can cause a lot of frustration and anxiety. Good luck!