If it is so profitable, how come you don't just use it yourself instead of selling it?
Obvious answer to an obvious question: because i make money selling my bot like any other bot's dev does 
Genuine answer i hope...
Is there a way to ensure it does not exploit login info, or that it won't just send funds to some random address?
Of course: login info are not used on poloniex API calls at all (Reference) and rule of thumb for your API key (clearly exposed on the bot manual) DO NOT ENABLE WITHDRAWALS on your polo API keys and you are safe enough.Not trying to be a buzzkill...
You are not. You are just expressing your legit doubts like anyone other out there. THe difference is: they think it, you said it 
I appreaciate your way