They've got their Twitter / Facebook / oAuth secret keys in there. Doesn't that mean everyone who sees this can act as Tumblr post to those services on behalf of users?
Nope, you need the users' token to perform that (given that they gave post to wall permission). However using Facebook secret key, you can ban users from using your app. But then again, you need user id.
But you could have users log into your site and then act as tumblre. If they already OK'd the tumblr app, they would never know. Otherwise they'd just have to ignore the screen saying what App you're OKing (and most people, I'd wager, would, and just think you were using tumblr for something).
I hope they've changed them.