Very. this is against the developer agreement.
Any oAuth/Bearer token is essentially a Password and should not be released publicly.
Let alone someone can take your oAuth token and clientID and go and burn up your webhook limits or other malicious actions.