That's perfectly understandable... it does use Steemconnect, but I totally get where you're coming from.
@mstafford is the dude who built it and has a lot of plans to get businesses involved, so I do honestly think your posting key would be in good hands.
If it makes people feel better -- I do intend to (eventually) incorporate @yabapmatt's Steem KeyChain project as another option for authentication... Probably a little ways off at this point, though.
Nice. Let me know when that integration premiers.
My main worry is that the posting key is sufficient to post the JSON operations to transfer @steemmonsters.
@yabapmatt have there been any issues with posting key hijacking to acquire monsters?
Fair enough. I'd be surprised, though, if all you needed was the posting key to hijack cards -- that certainly would be concerning. I would imagine the team will lay out some info on this sooner or later. Good thought, though.
My understanding is that card operations are custom JSON transactions. These only require the posting key to send. For example, one logs into steemmonsters.com with their posting key.
It just dawned on me... I have set my app to ask for permissions for custom_JSON operations, but I don't really need it -- at least not yet.
I'll update things tonight to no longer get scope for custom_json.
This doesn't really affect anything in terms of providing your posting-key to SteemConnect, but SC does (I believe) manage scope for posting authority.