Well, if it's a trading bot then it will need API access to the exchanges it works with. That part sounds legit. We use that for Forgotten Crypt as well, although we are working on an API-free alternative as well.
Most exchanges let users customize what the API key will allow. Most certainly nobody should provide API keys with transfer/withdraw permission to any app, human, or cyborg!!