What matters most is that the open-source gets audited and only posting WIF passphrase gets used in the app.

As long as the Active or Owner keys aren't entered, I can't imagine any major risk.

Being able to build on top of the Steem blockchain without permission is a huge value proposition for the ecosystem.