That's right. And just as @raddevus mentioned it's a possibility to revoke the API key right after checking your stats.
Submitting your API key does require a certain level of trust especially because the DEV Api offers POST services such as posting an article but there is no way - as far I know - to generate a read-only API Key.
On my side, what I could do is masking the API Key as if it would be a password and putting a notice mentioning that the API key is not going to be stored by the app.
By the way, thanks, Benedict, for this nice write up.
At the same time, as I'm writing these lines I noticed that Flask logs it as part of the incoming get request on the backend side. I'll have to figure out how to remove those logs, how to prevent to log these events.
At the same time, I also added an About modal, so I also learnt a bit about how to use NG Bootstrap's Modal module.
In the coming days, I want to sort out this problem with the backend logs and add some error handling in case there is a problem with the API key.
Feel free to try DevAnalytics and leave a comment.