This is a great followup, Mark, thank you for covering the issue so thoroughly!
It's really interesting that the API key requirement factors into the comments of Professor Brigida, and the EIA itself.
Prof. Brigida is right on that the API key requirement makes it difficult to do interactive JavaScript analyses without exposing the API key. This came up all the time (and I'm sure still does) at the Sunlight Foundation, which does a lot of JavaScript data visualizations that talk directly to its APIs, as do many of its clients. Typically, the answer is to just put the key in your source code, and if it does get stolen or abused, then worry about it on the enforcement end. Sunlight is pretty chill like that, and of course the API key is only for read-only public data stuff.
The EIA's argument that the API key requirement is what's halting the publishing of their source code doesn't hold water, though. Not wanting to expose the API key may very well mean that when you download the extension, the extension needs to be a compiled, encrypted binary so that people can't yank the key out of it. However, they could absolutely still publish the source code online for people to view, fork, and improve -- and just not publish the API key in the released code.
While it's possible that kind of workflow might mean some slight refactor of the Excel plugin's code, avoiding hardcoding of keys/passwords into source code is an *extremely* common (and good) practice. Lots of open source projects require the use of private keys to communicate with authenticated systems. It's not a blocker to making the Excel plugin open source.
For an example of this, see 18F's
analytics-reporter, a command line tool for speaking with the Google Analytics API, that powers
https://analytics.usa.gov. The tool requires a sensitive private key that has authorized access to the US government's Google Analytics account, and the contents of this key are provided by reference via an environment variable. Other software systems will have different appropriate methods of doing this kind of thing.
In any case, not suggesting you go back for another follow-up. :) This resolved some important questions (like whether or not the plugin uses only public methods), and got some interesting detail from Prof. Brigida. Glad to see this stuff getting attention!
-- Eric