I am not really sure how this works exactly but since they are receiving my email and ssh keys from GitHub, can't they simply use it for malicious purpose?
The SSH key that github has is considered public. The public key can't be used maliciously. The private key is on your machine. The two keys have to be used together to make anything happen.
They have access to the public key, not the private key. If you're sufficiently paranoid you could imagine someone acquiring gtihub.com and waiting for `git origin add` typos (let's hope you're also paranoid enough to not ignore new/unknown server keys being added to your known_hosts file).
