Something to think about. The ones I have seen have the generic “You shouldn’t include your API key in your code message” but they don’t provide an alternative and junior developers just build their entire apps around the package, then they are stuck an publish.
I think the creators know and published while they were testing out the API.