The API key is public, because it's client side. So not privileged, however forks of coracle that are not up to date and havenct removed the bugsnag key may still be vulnerable.